uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-06-15 18:37:18

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Vidar Malware Employs New Techniques to Avoid Detection and Anonymize

t2Gtrb1.png
The threat actors who created the Vidar malware have altered their backend infrastructure, showing efforts to retool and hide their online footprint in response to public revelations about their method of operation.

Cybersecurity firm Team Cymru stated in a recent analysis that "Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia.".

A known information thief operating since late 2018 is called Vidar. Additionally, it is a fork of another stealthy malware program called Arkei, and prices range from $130 to $750 depending on the subscription level.

The malware comes with a wide range of capabilities to harvest sensitive information from infected hosts and is frequently distributed through phishing campaigns and websites promoting cracked software. Vidar has also been seen to be spread by malicious Google Ads and the Bumblebee malware loader.

In a report released earlier in January by Team Cymru, it was stated that "Vidar operators have split their infrastructure into two parts; one dedicated to their regular customers and the other for the management team and possibly premium / important users. ".

My-odin[ is a significant domain that the Vidar actors use. ]com, a one-stop shop for controlling the panel, verifying affiliates, and exchanging files.


malicious software called Vidar.

Previously, downloading files from the website was possible without requiring any authentication; however, doing so now directs the user to a login page. Updates to the IP address that hosts the domain itself represent another change.

This includes shifting from 186.2. 166[. [15 to 5.252]. 179[.(201 to 5252).176[.
Threat actors will access the latter using VPN servers around the same time, reaching ]49 by the end of March 2023.

Team Cymru stated: "It is apparent that the Vidar threat actors may be taking steps to anonymize their management activities by hiding in general Internet noise by using VPN infrastructure, which in at least part was also utilized by numerous other benign users.".

The cybersecurity firm reported finding outgoing connections from 5.252 as well. 176[.49 to the website blonk[, a legitimate website. ]co as well as a host based in Russia (185.173.93[.]98:443).

The addition of a new IP address, 185.229, has been discovered to give the Vidar infrastructure yet another facelift beginning on May 3, 2023. 64[. hosting the my-odin on line 137. ]com domain in addition to the use of TOR relays by the operators to get access to their accounts and malware storage locations.

The information "provides further insight into the 'behind-the-scenes' operation of Vidar, demonstrating the evolution of its management infrastructure as well as evidence of steps taken by the threat actors to potentially cover their tracks," the company said.

Offline

Board footer

Powered by FluxBB