By rssfeeds-admin 
By abusing AutoIt and masquerading files, attackers can successfully siphon passwords, cookies, and cryptocurrency wallets while remaining virtually invisible to traditional security controls.
First emerging in 2018 from the source code of the Arkei stealer, Vidar has become a prominent threat in the cybercrime ecosystem. Its ability to rapidly extract highly sensitive user data makes it a favorite among financial threat actors and initial access brokers.
Vidar Malware Campaign Targets Login Credentials
The attack begins when a user executes a compromised version of Microsoft Toolkit, a popular but unauthorized software activation utility. Because users expect such hack tools to flag antivirus warnings, they frequently ignore or bypass security alerts, making it an ideal Trojan horse.
Once launched, the malicious MicrosoftToolkit.exe avoids traditional exploit-based delivery. Instead, it spawns a standard command shell to kick off a covert, file-based staging process directly within the user space.
To bypass basic file-type security controls, the malware leverages extension masquerading. It drops a disguised container file, initially named swingers.dot, and renames it to a .bat executable script. This simple but effective switch allows embedded commands to run without triggering static analysis alarms.
Before dropping its true payload, the script actively enumerates the environment. It uses standard Windows tools such as tasklist and findstr to identify running processes, looking for security software that might disrupt its deployment, as reported by LevelBlue.
After clearing the path, the script uses extract32.exe to pull additional components from the disguised .dot containers. This extraction reveals two critical files: an AutoIt-compiled loader named Replies.scr and an external, encrypted payload file labeled D.
Because AutoIt is a legitimate Windows automation language, the malicious loader blends in seamlessly with standard administrative tasks. The loader serves solely as a delivery mechanism, loading the encrypted payload into memory for decryption and execution.
This builder-style architecture means the initial executable is practically harmless on its own, only revealing its malicious intent when combined with the external file.
Before connecting to its command-and-control (C2) servers, the malware ensures nobody is watching. It uses API calls like ZwQueryInformationProcess to detect debuggers or endpoint detection and response (EDR) instrumentation callbacks. If it senses an analysis environment, it alters its execution to remain hidden.
Once it feels secure, the malware uses the WinINet API to reach out to external servers and retrieve configuration data. Interestingly, it abuses legitimate public platforms to hide its beaconing activity:
- Constructs HTTP GET requests targeting a specific Telegram profile.
- Polls a designated Steam Community profile to retrieve staging information.
- Performs DNS resolution for dynamic infrastructure via the domain gz[.]technicalprorj[.]xyz.
These connections confirm the deployment of the Vidar stealer, paving the way for the immediate exfiltration of browser data and system credentials.
One of the most dangerous aspects of this campaign is its meticulous post-execution cleanup. After successfully launching the stealer, the original Microsoft Toolkit executable systematically destroys all evidence of the initial infection.
The malware traverses a linked list of the dropped .dot payload files, resetting their attributes before deleting them from the disk. It frees all associated memory structures, scrubs execution artifacts, and eventually terminates its own process using RtlExitUserProcess.
This thorough digital hygiene significantly reduces the on-disk footprint, complicating forensic investigations and hindering traditional incident response efforts.
IOCs
| IOC | IOC type | Description |
| fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d | SHA-256 | MicrosoftToolkit.exe |
| d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f | SHA-256 | swingers.dot.bat |
| 978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6 | SHA-256 | Beds.dot |
| 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb | SHA-256 | replies.scr |
| 968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe | SHA-256 | D (payload file) |
| 149.154.167[.]99 | IP Address | Vidar-associated C2 IP |
| telegram[.]me | Domain Name | C2 domain |
| gz[.]technicalprorj[.]xyz | Domain Name | Vidar-associated C2 domain |
| Tactic | Techniques / Sub-Techniques | Summary |
| TA0001 – Initial Access | T1204.002 – User Execution: Malicious File | User downloaded and executed microsofttoolkit.exe (hacktool), serving as the initial entry point into the system |
| TA0002 – Execution | T1204.002 – User Execution: Malicious File | User executed microsofttoolkit.exe, initiating the infection under the assumption of legitimate software activation |
| TA0002 – Execution | T1059.003 – Command and Scripting Interpreter: Windows Command Shell | Batch/script-based execution used to stage further activity |
| TA0002 – Execution | T1027 – Obfuscated/Compressed Files | Payload staged via compressed or embedded format using extract32.exe |
| TA0002 – Execution | T1140 – Deobfuscate/Decode Files or Information | Extraction process used to unpack the next-stage payload |
| TA0002 – Execution | T1059 – Command and Scripting Interpreter | AutoIt-based loader executed via script-like behavior |
| TA0002 – Execution | T1218 – Signed Binary Proxy Execution | .scr (AutoIt compiled binary) used as a loader to execute malicious logic |
| TA0005 – Defense Evasion | T1036 – Masquerading | A .dot file was renamed to .bat to bypass basic file-type restrictions |
| TA0005 – Defense Evasion | T1562.001 – Disable or Modify Security Tools | taskkill.exe used to terminate security-related processes |
| TA0005 – Defense Evasion | T1059.003 – Command Shell | findstr.exe leveraged for filtering and identifying security processes |
| TA0005 – Defense Evasion | T1070.004 – Indicator Removal on Host: File Deletion | Malware deleted dropped files to remove evidence |
| TA0005 – Defense Evasion | T1489 – Service Stop | Processes terminated to reduce forensic artifacts and evade detection |
| TA0011 – Command and Control | T1071.001 – Application Layer Protocol: Web Protocols | Malware communicated with C2 over HTTP/HTTPS |
| TA0011 – Command and Control | T1573 – Encrypted Channel | Encrypted communication used to evade detection |
| TA0010 – Exfiltration | T1041 – Exfiltration Over C2 Channel | Stolen data (credentials, browser data) exfiltrated via C2 channel |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Vidar Malware Campaign Targets Login Credentials, Session Cookies, and Wallet Files appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.