Full Report
A cybercrime campaign combined a loader-as-a-service framework and DLL sideloading via a Go-compiled fake MpClient.dll, a novel evasion layer combination. The post Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation appeared first on Unit 42.
Analysis Summary
# Tool/Technique: Vidar Stealer & Go-Based Loader Framework
## Overview
This campaign highlights a sophisticated delivery mechanism for **Vidar Stealer** (and occasionally XMRig miners). It utilizes a Loader-as-a-Service (LaaS) framework that leverages hijacked legitimate application workflows. The core of the evasion strategy involves a Go-compiled loader masquerading as a legitimate DLL (**MpClient.dll**) to perform DLL sideloading, combined with "file inflation" to bypass security scanners.
## Technical Details
- **Type**: Information Stealer (Vidar) | Loader (Go-based)
- **Platform**: Windows
- **Capabilities**: Information theft (credentials, browser data, crypto wallets), DLL sideloading, anti-analysis via file padding, code signing abuse.
- **First Seen**: Campaign activity identified in 2023.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (Websites offering cracked software)
- **[TA0002 - Execution]**
- [T1059.001 - PowerShell]
- [T1574.002 - DLL Side-Loading]
- **[TA0005 - Defense Evasion]**
- [T1553.002 - Code Signing]
- [T1027.001 - Binary Padding] (File Inflation)
- [T1055 - Process Injection]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- **[TA0011 - Command and Control]**
- [T1102 - Web Service] (Abuse of Mastodon/Telegram for C2 profiles)
## Functionality
### Core Capabilities
- **Information Theft**: Vidar targets cookies, history, and stored passwords from major web browsers, as well as digital certificates and cryptocurrency wallet data.
- **Dynamic C2 Resolution**: Uses social media profiles (e.g., Mastodon) to store hidden C2 configuration strings, allowing the malware to update its command server addresses dynamically.
- **Data Exfiltration**: Packs stolen data into a ZIP file and uploads it to the attacker’s C2 server via HTTP/HTTPS.
### Advanced Features
- **DLL Sideloading (Fake MpClient.dll)**: The malware executes by placing a malicious Go-compiled `MpClient.dll` in the same directory as a legitimate, signed executable (like a Microsoft tool or executable renamed as `WinUpdate.exe`). When the executable runs, it loads the malicious DLL instead of the system one.
- **File Inflation**: The loaders are artificially padded with junk data (null bytes) to reach sizes exceeding 500MB. This bypasses many Sandbox environments and EDR solutions that skip large files to optimize performance.
- **Code Signing Abuse**: The malicious binaries are often signed with stolen or fraudulently obtained valid certificates to appear trustworthy to the OS.
## Indicators of Compromise
- **File Hashes**:
- `7d9f7886477e77405995517f86f2b700f1629ed37156c70a133f837333274291` (Go Loader)
- `9b74052f559795094247895786498305c08007a701980315a6e0c608f654f59c` (Vidar Payload)
- **File Names**:
- `MpClient.dll`
- `WinUpdate.exe`
- `Setup.exe` (Inflated loader)
- **Network Indicators**:
- `hxxps[://]mastodon[.]world/@user_profile` (C2 Resolution)
- `hxxp[://]185[.]161[.]248[.]91/` (Direct C2)
- `hxxp[://]78[.]47[.]184[.]68/`
- **Behavioral Indicators**:
- A signed executable spawning a Go-compiled DLL.
- Large files (>100MB) executing PowerShell commands or making external network connections.
- Unexpected creation of `.zip` files in `%TEMP%` directories containing browser profile data.
## Associated Threat Actors
- While specific attribution is often difficult due to the "Stealer-as-a-Service" model, the campaign is linked to affiliates using the **Vidar Stealer** ecosystem.
## Detection Methods
- **Behavioral detection**: Monitor for legitimate Microsoft binaries loading unsigned or Go-compiled DLLs from non-standard paths (App Data, Temp).
- **Size-Based Inspection**: Configure security appliances to scan exceptionally large files that would normally be whitelisted.
- **YARA Rule Strategy**:
- Target Go-specific metadata in combination with exports expected by `MpClient.dll`.
- Detection of "Overlay" or "Extra Data" at the end of PE files.
## Mitigation Strategies
- **Application Whitelisting**: Use Windows Defender Application Control (WDAC) to prevent unauthorized binaries/DLLs from executing.
- **User Education**: Warn users against downloading "cracked" software or installers from unofficial third-party sites.
- **EDR Configuration**: Ensure Endpoint Detection and Response tools are configured to inspect large files and monitor for sideloading behavior.
## Related Tools/Techniques
- **Arkei Stealer**: (Vidar is a fork of Arkei).
- **Stealc / Racoon Stealer**: Often distributed via similar LaaS Go-loaders.
- **Process Hollowing**: Commonly used by the loader to execute the final Vidar payload in memory.