The Vidar Stealer is spyware that may be a fork of Arkei, although it omits some of that threat's features and includes some new functionality, as well. This spyware is highly-configurable for targeting valuable files and credentials throughout the PC, including stealing Web-browsing information, passwords, and cryptocurrency wallet info. Users should keep their anti-malware solutions up-to-date for deleting the Vidar Stealer as soon as possible and, after infection, be prompt about re-securing any accounts and login data.
A Spy-for-Hire that Looks Fairly Familiar
New threat actors are selling the time-limited services of what could be a new variant of the well-known Arkei spyware program. The Vidar Stealer, which takes its name from a deity in the ranks of the Norse mythological pantheon, includes support for configuring its theft of information, as is appropriate for different victims and campaigns. Interestingly, it also has default filtration features that sort out the systems from Russia and nearby countries by detecting the Windows Locale Name or language.
The Vidar Stealer's development is ongoing, but the spyware is already ready for 'renting' to criminals, who control and configure its attacks through a Web panel. After installing itself through any of the usual exploits, such as a brute-force attack or a corrupted torrent, the Vidar Stealer checks for the system's language. If the system isn't in Russia or a similar country, the program downloads a configuration file that sets up the majority of its attacks as per the remote attacker's profile specifications.
The below attacks are of particular concern to malware analysts, although this list isn't comprehensive:
- The Vidar Stealer collects data from multiple browsers and can take the user's Web-browsing history, automatically-filled-out fields like passwords, and temporary 'cookie' files.
- The Vidar Stealer makes separate, specific searches for strings that match the format of credit and debit card credentials.
- The Vidar Stealer compromises many kinds of cryptocurrency wallets (such as Bitcoin and Litecoin), by default, and can accept parameters for modifying the list by including or excluding other ones.
- The Vidar Stealer accesses message history caches for some instant-messaging programs, most notably, the anonymity-promoting Telegram application.
- The last and most alarming feature is one that attacks 2FA or two-factor authentication programs like Authy.
While many of these features have coding that's similar to Arkei, the Vidar Stealer isn't a complete clone. The inclusion of a brand-new 'grabber' module and the absence of any Steam data-collecting features make the Vidar Stealer noticeably different from the old spyware.
Having the Foresight for Avoiding an 'Avenging' Spyware Kit
The Vidar Stealer, whose name one might also anglicize as Víðarr or Vithar, offers substantial and threatening upgrades in comparison to the already-analyzed threat that it resembles. Because its services are available to any criminal who pays the author's fees, all distribution strategies are subject to significant speculation and potential variability. The Vidar Stealer also highlights the vulnerability of sensitive information to thievery when the user saves it to a predictable, default location for their convenience.
Although malware experts don't find the Vidar Stealer as being without any code-obfuscation features that could help with hiding it, most AV security tools should be capable of identifying it. Mitigating the loss of data is possible by avoiding 'autofill' features for your browser, not saving your work to places like the Windows Documents folder, and wiping your browser of cookies, history, and other information after each use. Anti-malware tools may delete Vidar Stealer safely or, hopefully, block the installation attempt, in a majority of cases.
The Vidar Stealer could be a legitimate fork of Arkei's project or a new program whose author is taking cues from the old resources. Although many details remain of interest in its campaigns and business model, it's certain that 2019 isn't a safe time to stop caring about protecting your data.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Vidar Stealer may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.