The threat actor behind Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and hide their online footprints in response to public disclosures about their modus operandi.
“Threat actor Vidar continues to rotate their backend IP infrastructure, supporting providers in Moldova and Russia,” cybersecurity firm Team Cymru said in new analysis shared with The Hacker News.
Vidar is a commercial information thief known to be active since late 2018. It is also a fork of another stealing malware called Arkei and is offered for sale between $130 and $750 depending on the subscription level.
Typically delivered through phishing campaigns and sites advertising hacked software, malware comes with various abilities to extract sensitive information from infected hosts. Vidar has also been seen distributed via a rogue Google Ads and malware loader dubbed Bumblebee.
Team Cymru, at a report published early January, noting that “Vidar operators have divided their infrastructure into two parts; one dedicated to their regular customers and the other to the management team, as well as potentially premium/critical users.”
The primary domain used by Vidar actors is my-odin(.)com, which serves as a one-stop destination for managing panels, authenticating affiliates, and sharing files.
Previously it was possible to download files from sites without any authentication, performing the same action will now redirect the user to the login page. Another change involved updating the IP address hosting the domain itself.
This includes moving from 186.2.166(.)15 to 5.252.179(.)201 to 5.252.176(.)49 in late March 2023, with attackers accessing the latter using VPN servers at roughly the same time.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“By using a VPN infrastructure, which is at least partly shared by many other benign users, it is clear that Vidar threat actors may be taking steps to anonymize their management activities by hiding in the general noise of the Internet,” notes the Cymru Team.
The cybersecurity firm said it also detected outgoing connections from 5.252.176(.)49 to an official website called blurk(.)co as well as a host located in Russia (185.173.93(.)98:443).
Vidar infrastructure apparently received another facelift effective May 3, 2023, with the introduction of the new IP address 185.229.64(.)137 hosting domain my-odin(.)com along with operators’ use of TOR relay to access their malware accounts and repositories.
The findings “provide further insight into Vidar’s ‘behind the scenes’ operations, demonstrating the evolution of its management infrastructure as well as evidence of the steps threat actors are taking to cover their tracks,” the company said.