The notorious information-stealer known as Vidar is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server.
“When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated,” AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of this page.”
In other words, the technique relies on actor-controlled throwaway accounts created on social media to retrieve the C2 address.
An advantage to this approach is that should the C2 server be taken down or blocked, the adversary can trivially get around the restrictions by setting up a new server and editing the account pages to allow the previously distributed malware to communicate with the server.
Vidar, first identified in 2018, is a commercial off-the-shelf malware that’s capable of harvesting a wide range of information from compromised hosts. It typically relies on delivery mechanisms like phishing emails and cracked software for propagation.
“After information collection is complete, the extorted information is compressed into a ZIP file, encoded in Base64, and transmitted to the C2 server,” ASEC researchers said.
What’s new in the latest version of the malware (version 56.1) is that the gathered data is encoded prior to exfiltration, a change from the previous variants that have been known to send the compressed file data in plaintext format.
“As Vidar uses famous platforms as the intermediary C2, it has a long lifespan,” the researchers said. “A threat actor’s account created six months ago is still being maintained and continuously updated.”
The development comes amid recent findings that the malware is being distributed using a variety of methods, including malicious Google Ads and a malware loader dubbed Bumblebee, the latter of which is attributed to a threat actor tracked as Exotic Lily and Projector Libra.
Risk consulting firm Kroll, in an analysis published last month, said it discovered an ad for the GIMP open source image editor that, when clicked from the Google search result, redirected the victim to a typosquatted domain hosting the Vidar malware.
If anything, the evolution of malware delivery methods in the threat landscape is in part a response to Microsoft’s decision to block macros by default in Office files downloaded from the internet since July 2022.
This has led to an increase in the abuse of alternative file formats like ISO, VHD, SVG, and XLL in email attachments to bypass Mark of the Web (MotW) protections and evade anti-malware scanning measures.
“Disk image files can bypass the MotW feature because when the files inside them are extracted or mounted, MotW is not inherited to the files,” ASEC researchers said, detailing a Qakbot campaign that leverages a combination of HTML smuggling and VHD file to launch the malware.