The Vidar malware has recently undergone significant changes to its backend infrastructure, indicating a strategic response from the threat actors to conceal their activities following public disclosures.

Security firm Team Cymru has conducted an analysis revealing that the Vidar threat actors are persistently rotating their backend IP infrastructure, displaying a preference for providers located in Moldova and Russia.

The Vidar Malware

Vidar, an information-stealing malware, has been in operation since late 2018 and is known as a derivative of the Arkei stealer.

It is commercially available, with subscription tiers ranging from $130 to $750. The malware is typically propagated through phishing campaigns and websites promoting cracked software.

Once installed, Vidar exhibits a wide range of capabilities, enabling it to collect sensitive information from compromised systems. Notably, the malware has been distributed through deceptive Google Ads and a malicious loader known as Bumblebee.

Team Cymru’s report, released in January, revealed that the Vidar operators have divided their infrastructure into two distinct parts.

One segment is dedicated to regular customers, while the other serves the management team and potentially high-profile users.

A critical domain utilized by the Vidar actors is my-odin[.]com, which functions as a centralized hub for managing the panel, authenticating affiliates, and sharing files. Previously, files could be downloaded without authentication, but the threat actors have now implemented a login page for enhanced security.

Additionally, the IP address hosting the domain has been modified, shifting from 186.2.166[.]15 to 5.252.179[.]201 and eventually to 5.252.176[.]49 in late March 2023. During this transition, the threat actors accessed the latter IP address via VPN servers, potentially indicating their intent to obfuscate their management activities amidst the noise of benign internet traffic.

Team Cymru also detected outbound connections from the 5.252.176[.]49 IP address to a legitimate website called blonk[.]co, as well as a host located in Russia (185.173.93[.]98:443).

Notably, on May 3, 2023, the Vidar infrastructure underwent another transformation, introducing a new IP address, 185.229.64[.]137, to host the my-odin[.]com domain.

Additionally, the threat actors have leveraged TOR relays to access their accounts and malware repositories, further complicating attribution efforts.

These findings offer valuable insights into the inner workings of Vidar, showcasing the evolution of its management infrastructure and indicating the threat actors’ efforts to cover their tracks.

It is clear that the Vidar operators are continuously adapting their tactics to remain elusive and maintain their malicious operations in the face of increasing scrutiny.