Vidar Malware Attacks Browser Passwords, Crypto Wallets and Cookies for Financial Gain
Password Stealers Evolve: Vidar Malware Targets Browser Credentials and Cryptocurrency Wallets
Cybersecurity researchers have identified a sophisticated malware campaign utilizing the Vidar information stealer, which has been active since 2018.
According to cybersecurity experts, “Vidar checks for active security processes, disables monitoring tools, and executes a loader compiled using AutoIt scripting techniques.”
The Infection Chain:
- A seemingly legitimate software activation tool, such as “MicrosoftToolkit.exe,” deceives users into executing the malware manually.
- Once launched, the initial file triggers a series of hidden scripts, renaming and executing a disguised file as a batch process, followed by additional payload extraction stages.
- Vidar scans infected systems for stored browser credentials, authentication cookies, saved passwords, and cryptocurrency wallet files.
- The malware communicates with external infrastructure disguised as legitimate traffic, using platforms such as Telegram and Steam to blend malicious activity with normal web traffic.
- Vidar exhibits self-cleaning behavior, deleting dropped files, clearing execution traces, resetting file attributes, and terminating its own processes.
Action Against Vidar Attacks:
- Isolate potentially infected systems.
- Perform a full system reimage.
- Reset all credentials.
- Enforce multi-factor authentication.
- Restrict execution of unauthorized software tools.
- Monitor outbound network traffic, DNS requests, and unusual HTTP connections.
About Author
English