The notorious information thief known as Vidar continues to use TikTok, Telegram, Steam, and Mastodon as intermediate command-and-control (C2) servers.
“When a user creates an account on an online platform, a unique account page is generated that can be accessed by anyone,” AhnLab Security Emergency Response Center (ASEC) disclosed in a technical report published at the end of the month. In portions of this page, threat actors have written identifying characters and the C2 address.
In other words, the technique relies on actor-controlled, disposable social media accounts to obtain the C2 address.
If the C2 server is taken down or blocked, the adversary can easily circumvent the restrictions by setting up a new server and editing the account pages to allow the previously distributed malware to communicate with the new server.
Vidar, discovered for the first time in 2018, is an off-the-shelf malware capable of harvesting a wide variety of information from compromised hosts. It typically spreads via delivery mechanisms such as phishing emails and cracked software.
After information collection is complete, the extorted data is compressed into a ZIP file, encoded in Base64, and sent to the C2 server, according to ASEC researchers.
Before exfiltration, the gathered data is now encoded in the most recent variant of the malware (version 56.1), whereas previous variants were known to send the compressed file data in plaintext format.
“Because Vidar employs well-known platforms as the intermediary C2, it has a lengthy lifespan,” researchers explained. “A threat actor’s account that was created six months ago continues to be maintained and updated continuously.”
The development follows recent discoveries that the malware is being distributed via multiple methods, including malicious Google Ads and a malware loader dubbed Bumblebee, the latter of which is attributed to a threat actor identified as Exotic Lily and Projector Libra.
In an analysis published last month, the risk consulting firm Kroll reported discovering an advertisement for the GIMP open-source image editor that, when clicked from a Google search result, redirected the victim to a typosquatting domain hosting the Vidar malware.
In part, the evolution of malware delivery methods in the threat landscape is a reaction to Microsoft’s decision to block macros by default in Office files downloaded from the internet beginning in July 2022.
This has resulted in a rise in the abuse of alternative file formats such as ISO, VHD, SVG, and XLL in email attachments to circumvent Mark of the Web (MotW) protections and avoid anti-malware scanning measures.
“Disk image files can circumvent the MotW feature because when the files within them are extracted or mounted, MotW is not inherited by the files,” ASEC researchers explained, describing a Qakbot campaign that uses a combination of HTML smuggling and VHD files to launch the malware.