fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Vidar Stealer Abuses Mastodon To Silently Get C2 Configuration

Vidar Stealer Abuses Mastodon To Silently Get C2 Configuration

The Vidar stealer has returned in a new campaign that abuses the Mastodon social media network to get C2 configuration without raising alarms. 

The particular malware has been active since at least October 2018 and we’ve seen it in numerous different campaigns. The reason why it’s so widely deployed is that it remains effective in its job and is also easy to source through Telegram channels and underground forums where it sells for as little as $150. 

Also Read: How To Secure Your WiFi Camera: 4 Points To Consider

The data that Vidar attempts to steal from infected machines includes the following:

  • All popular browser information such as passwords, cookies, history, and credit cards details.
  • Cryptocurrency wallets.
  • Files according to regex strings given by the TA.
  • Telegram credentials for Windows versions.
  • File transfer application information (WINSCP, FTP, FileZilla)
  • Mailing application information. 

What makes this particular campaign standout is how Vidar abuses Mastodon, the popular open-source social media network, to obtain dynamic configuration and C2 connectivity.

The threat actors set up accounts on Mastodon and then add the IP of the C2 that the stealer will use on their profile’s description section. 

Actor's Mastodon profile with C2 URL on the description
Actor’s Mastodon profile with C2 URL on the description. Source: Cyberint

The idea is to secure communications from the compromised machine to the configuration source, and since Mastodon is a trusted platform, it shouldn’t raise any red flags with security tools. At the same time, Mastodon a relatively under-moderated space so these malicious profiles are unlikely to be spotted, reported, and removed. 

Researchers at Cyberint, who discovered this campaign, report that each C2 they observed contained between 500 and 1,500 different campaign IDs, indicative of the wide scale of Vidar’s deployment. 

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Upon execution, a POST request is sent for the configuration, and then Vidar fetches its six DLL dependencies from the C2 server via a series of GET requests. These are legitimate third-party DLLs for networking services, MS Visual Studio runtime, etc. 

HTTP Post request for fetching dependency
HTTP Post request for fetching dependency. Source: Cyberint

By utilizing these DLLs, Vidar steals data like email credentials, chat account details, web-browsing cookies, etc., compresses everything into a ZIP archive, and then exfiltrates the archive to the attackers via an HTTP POST.. 

Once this is done, Vidar kills its own process and deletes the DLLs and the main executable, in an attempt to wipe all evidence of its presence in the victim’s machine. The later the victim realizes their credentials were stolen, the more opportunities for exploitation the actors will have. 

To avoid having to deal with a nasty Vidar infection, take into account the common delivery channels. These are typically unsolicited emails that make bold claims about pending orders, payments, and package deliveries. 

Another method of distribution is via direct messages on popular social media platforms, or even through laced game cracks downloaded via torrent.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us