TrojanSpy.Win32.VIDAR.CFJ

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• %ProgramData%\{Random Numbers}\autofill
• %ProgramData%\{Random Numbers}\History
• %ProgramData%\{Random Numbers}\Downloads
• %ProgramData%\{Random Numbers}\CC

Infiltra los archivos siguientes:

• %ProgramData%\freebl3.dll
• %ProgramData%\mozglue.dll
• %ProgramData%\msvcp140.dll
• %ProgramData%\nss3.dll
• %ProgramData%\softokn3.dll
• %ProgramData%\sqlite3.dll
• %ProgramData%\vcruntime140.dll
• %ProgramData%\{Random numbers}-wal.txt → Stolen information
• %ProgramData%\{Random numbers}-shm.txt → Stolen information
• %ProgramData%\{Random numbers}-journal.txt → Stolen information
• %ProgramData%\{Random Numbers}\autofill\{Random numbers}.txt → Stolen information
• %ProgramData%\{Random Numbers}\History\{Random Numbers}.txt → Stolen information
• %ProgramData%\{Random Numbers}\Downloads\{Random Numbers}.txt → Stolen information
• %ProgramData%\{Random Numbers}\CC\{Random Numbers}.txt → Stolen information
• %ProgramData%\{Random Numbers}\screenshot.jpg

Agrega los procesos siguientes:

• %System%\cmd.exe /c timeout /t 6 & del /f /f "{Malware File path}\{Malware Filename}" & exit

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Otras modificaciones del sistema

Elimina los archivos siguientes:

• %ProgramData%\{Random numbers}-wal.txt → After Exfiltration
• %ProgramData%\{Random numbers}-shm.txt → After Exfiltration
• %ProgramData%\{Random numbers}-journal.txt → After Exfiltration
• %ProgramData%\{Random Numbers}\autofill\{Random numbers}.txt → After Exfiltration
• %ProgramData%\{Random Numbers}\History\{Random Numbers}.txt → After Exfiltration
• %ProgramData%\{Random Numbers}\Downloads\{Random Numbers}.txt → After Exfiltration
• %ProgramData%\{Random Numbers}\CC\{Random Numbers}.txt → After Exfiltration
• %ProgramData%\{Random Numbers}\screenshot.jpg → After Exfiltration

Elimina las carpetas siguientes:

• %ProgramData%\{Random Numbers}\autofill → After Exfiltration
• %ProgramData%\{Random Numbers}\History → After Exfiltration
• %ProgramData%\{Random Numbers}\Downloads → After Exfiltration
• %ProgramData%\{Random Numbers}\CC → After Exfiltration

Robo de información

Recopila los siguientes datos:

• Browser Data(e.g.Cookies, History, Downloads, Bookmarks, Credentials, Credit Card data, Autofills):
  • Mozilla Firefox
  • Pale Moon
  • Opera Stable
  • Opera Crypto Stable
  • Opera GX
  • Google Chrome
  • Chromium
  • Amigo
  • Torch
  • Vivaldi
  • Comodo
  • Epic Privacy Browser
  • CocCoc
  • Brave
  • CentBrowser
  • 7Star
  • TorBro
  • Chedot
  • Microsoft Edge
  • Microsoft Edge Canary
  • Microsoft Edge Beta
  • Microsoft Edge Dev
  • 360Browser
  • QQBrowser
  • CryptoTab Browser
  • Authy Desktop
  • Thunderbird
• Browser Extension:
  • Slides
  • Docs
  • Google Drive
  • Youtube
  • Sheets
  • Gmail
  • Trezor Password Manager
  • Authenticator
  • Authy
  • EOS Authenticator
  • GAuth Authenticator
  • Microsoft Autofill
  • Bitwarden
  • KeePass Tusk
  • KeePassXC-Browser
• CryptoCurrency Browser Extension:
  • TronLink
  • MetaMask
  • Binance Wallet
  • Yoroi
  • Nifty Wallet
  • Coinbase Wallet
  • Guarda Wallet
  • cjelfplplebdjjenllpjcblmjkfcffne
  • iWallet
  • MEW Wallet
  • Ronin Wallet
  • NeoLine
  • CLV Wallet
  • Liquality Wallet
  • Station Wallet
  • Keplr
  • Sollet Wallet
  • Aura Wallet
  • Polymesh Wallet
  • ICONex
  • Coin98 Wallet
  • EVER Wallet
  • KardiaChain Wallet
  • Rabby Wallet
  • Phantom
  • Brave Wallet
  • Oxygen - Atomic Crypto Wallet
  • Pali Wallet
  • aodkkagnadcbobfpggfnjeongemjbjca
  • XDEFI Wallet
  • pfcbjknijpeeillifnkikgncikgfhdo
  • MultiversX DeFi Wallet
  • Keeper Wallet
  • Solflare Wallet
  • Cyano Wallet
  • KHC Wallet
  • TezBoz - Tezos Wallet
  • Temple - Tezos Wallet
  • Goby
  • Tron Wallet and Explorer - Tronium
  • Trust Wallet
  • Exodus Web3 Wallet
  • Braavos Smart Wallet
  • Enkrypt: Multichain Crypto Wallet
  • OKX Wallet
  • Sender Wallet
  • Hashpack
  • Eternl
  • Gero Wallet
  • Pontem Aptos Wallet
  • Petra Aptos Wallet
  • Martian Wallet for Sui and Aptos
  • Finnie
  • Leap Terra Wallet
• Crypto Wallet Data:
  • Ethereum
  • Electrum-LTC
  • Exodus
  • ElectronCash
  • MultiDoge
  • Jaxx
  • Atomic
  • Binance
  • Coinomi
  • Daedalus Mainnet
  • Blockstream Green
  • WalletWasabi
  • Electrum
  • Bitcoin
  • Dogecoin
  • Raven
  • Ledger Live
  • Chia
• System Information:
  • Time and Date
  • Version
  • MachineID
  • GUID
  • HWID
  • Malware File Path
  • Work Directory
  • Product Name
  • OS Version and Architecture
  • Install date of OS
  • Antivirus Products
  • Computer Name
  • User Name
  • Dsiplay Resolution
  • Display Language
  • Keyboard Language
  • Local Time
  • Time Zone
• Hardware Information:
  • Processor
  • # of Core
  • # of Threads
  • RAM
  • Video Card
• Runnning Processes
• Installed Software and version
• Screenshot of current display
• SFTP/FTP Clients (e.g. Host, Port, User, Pass, Recent Servers):
  • WinSCP
  • FileZilla

Información sustraída

Este malware envía la información recopilada a la siguiente URL a través de HTTP POST:

• https://{BLOCKED}.{BLOCKED}.{BLOCKED}.95

Otros detalles

Hace lo siguiente:

• It terminates itself if any of the following computer name(s) are found in the affected system:
  • JohnDoe
  • HAL9TH
• Drops files in %ProgramData% directory with random names containing the stolen informations then deletes it after exfiltration
• It downloads the following archive in %ProgramData% upon resolving its configuration:
  • pack.zip
  which contains the following normal files:
  • freebl3.dll
  • mozglue.dll
  • msvcp140.dll
  • nss3.dll
  • softokn3.dll
  • vcruntime140.dll
  • msvcp140.dll