threat actors behind Vidar malware We can see that they have made changes to their backend infrastructure and are trying to reconstruct and cover up their online trails in response to public disclosures about their tactics.
“Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers from Moldova and Russia,” cybersecurity firm Team Cymru said in a new analysis shared with The Hacker News.
Vidar is a commercial information stealer known to be active since late 2018. It is also a fork of another stealer malware called Arkei, priced between $130 and $750 depending on subscription tier.
Typically distributed through phishing campaigns and sites promoting cracked software, the malware has extensive capabilities to gather sensitive information from infected hosts. Vidar has also been observed distributed via malicious Google ads and a malware loader called Bumblebee.
Team Cymru said in a report released earlier in January that “Vidar operators have split their infrastructure into two parts, one dedicated to regular customers, the other to the management team and potentially It’s for premium/important users only.”
The primary domain used by the Vidar actor is my-odin[.]com is a one-stop shop for panel management, affiliate verification and file sharing.
Previously, users could download files from sites without authentication, but now performing the same action redirects users to a login page. Another change involves updating the IP address that hosts the domain itself.
This includes migrating from 186.2.166.[.]15 to 5.252.179[.]201 to 5.252.176[.]It will reach 49 by the end of March 2023, with threat actors using VPN servers to access the latter around the same time.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“By using VPN infrastructure, at least in part also utilized by a number of other benign users, it is possible that the Vidar attackers have taken steps to hide behind the general internet noise and anonymize their administrative activities. It is clear that there is a risk,” Team Cymru pointed out.
Cybersecurity firm said it also detected outbound connections from 5.252.176[.]Visit a legitimate website called blonk on 49[.]co and hosts located in Russia (185.173.93)[.]98:443).
It turns out that the Vidar infrastructure will be further revamped starting May 3, 2023 with a new IP address of 185.229.64.[.]137 Host My Odin[.]com domain, and operators use TOR relays to access accounts and malware repositories.
The findings “provide further insight into Vidar’s ‘behind-the-scenes’ activities, showing evidence of the evolution of its management infrastructure and, potentially, the steps taken by threat actors to cover its tracks.” ‘ said the company.
