Infor Stealer Vidar TrojanSpy Analysis

When I first got this malware sample, I thought this is a new variant of azorult because the strings, some code are really the same but this malware does some features that azorult not and vice versa. This malware family is known to be named as VIDAR that try to steal some sensitive information of the machine, browser, bitcoin wallet and etc.

Kill Switch:

The first part of this malware is a kill switch where it will exit its code if the LocaleName is either of the following: 
ru-Ru - Russian
be-BY - Belarusian
uz-UZ - Uzbekistan
 kk-KZ - Kazakhstan
 az-AZ - Azerbaijan
resource: http://www.lingoes.net/en/translator/langcode.htm

If LocaleName is not of those list, it will create a Mutex name base on the HardwareGUID & machineGUID of the infected machine.

figure 1: the Kill switch

Other Behavior:

It will now initialized a bunch of strings and command that are may used as IOC for this malware.

figure 2: part of string initialization
Then it will generate a random folder name in %programdata% directory and create a “files” folder inside it that will contain all the information it will parse in the infected machine.

figure 3: the generated folder for  the information it steal.
the it will try to contact “http://ip-api.com/line/” url link to retrieve some network information of the infected machine and log it to a  “information.txt”.

figure 4: retrieving network information
 The “files/information.txt” also contains other several sensitive information of the infected machine that will be soon send to its C&C server. The way it parse this stuff is really interesting, most of them are parse within registry or by using Windows API.

figure 5: information.txt
It also has features to steal in some know bitcoin wallet: Ethereum, Electrum, ElectronCash, Exodus, MultiDoge, JAXX.

figure 6: bitcoin wallet parsing
It also do some sub-string check in wallet.dat for noteworthy strings.

figure 7: checking substring in wallet.dat
Can do some screenshots of the infected machine.

figure 7: creating screenshots
It also tries to parse some credentials within different browsers.

figure 9: parsing credentials in different browsers
and for browsers that using sql database for sabing cookies, log-in information, history and etc. it will download several dll from its C&C server to execute SQL command to parse those information.

figure 10: nss3.dll for parsing sqlite db of browser
after parsing all the sensitive information it will delete all those dll to erase its footprints in the machine.

figure 11: delete foot prints
it has also a function where it enumerate the outlook signature and look for “Password entry”.

Then it it will send a post command to its C&C server that contains the zip of all logs it parsed in the infected machine.

Conclusion:  

This malware is really show some interesting stuff how to grab some sensitive information within a windows system and taking advantage several browser and wallet information. 

IOC :

Sha1: 29818d101ebd8216bcaf627b4a5a0bcb753343ad
Sha256: 076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c

YARA :

import "pe"

rule vidar_win32_unpack {
    meta:
        author =  “tcontre”
        description = “detecting vidar unpack malware”
        date =  “2019-03-11”
        sha256 = “076bf8356f73165ba8f3997a7855809f33781639ad02635b3e74c381de9c5e2c”
 
    strings:
        $mz = { 4d 5a }
     
        $s1 = “SELECT host, name, value FROM moz_cookies” fullword     
        $s2 = “Vidar Version:” fullword
        $s3 = “card_number_encrypted FROM credit_cards” fullword

        $c0 = “softokn3.dll” fullword
        $c1 = “nss3.dll” fullword
        $c2 = “mozglue.dll” fullword
        $c3 = “freebl3.dll” fullword

        $code1 = { C6 45 FC 30 E8 ?? ?? ?? ?? 83 78 14 08 C6 45 FC 31 72 02 }
              
    condition:
        ($mz at 0) and all of ($s*) and 2 of ($c*) and all of ($code*)
     
    }



Article Link: https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html