Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Vidar
This is a concrete detection of a Vidar trojan variant designed for MSIL platforms. It functions as an information stealer, targeting cryptocurrency wallet keys (Monero) and credentials from applications like FileZilla, while also establishing persistence through hidden scheduled tasks.
Relevant strings associated with this threat: - SOFTWARE\monero-project\monero-core (PEHSTR_EXT) - \Monero\wallet.keys (PEHSTR_EXT) - \AppData\Roaming\FileZilla\recentservers.xml (PEHSTR_EXT) - New-ScheduledTaskAction -Execute $tempPath -ErrorAction SilentlyContinue (PEHSTR_EXT) - New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ErrorAction SilentlyContinue (PEHSTR_EXT)
rule Trojan_MSIL_Vidar_AVI_2147927385_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Vidar.AVI!MTB"
threat_id = "2147927385"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Vidar"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "Low"
strings:
$x_1_1 = {0a 00 25 06 6f ?? ?? ?? 0a 00 25 17 6f ?? ?? ?? 0a 00 25 16 6f ?? ?? ?? 0a 00 25 17 6f ?? ?? ?? 0a 00 25 17 6f ?? ?? ?? 0a 00 0b 07 28} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}b1cebd305c6aa27048a3673e70f8e1604735b2c06c83452d2935c330b5a3eb58c96e2c1035a72c1bef5ff5887998c54dd5ce758707c261977347107122963d1dImmediately isolate the infected system, remove the detected malware, and promptly change all potentially compromised credentials, including cryptocurrency wallet passphrases and any stored FTP credentials. Conduct a thorough forensic analysis to identify the initial compromise vector and ensure all persistence mechanisms are eradicated. Implement strong security practices, regularly backup data, and monitor network activity for further suspicious behavior.