Vidar Stealer a notorious piece of information-stealing malware has adopted a new distribution strategy by masquerading as trusted binaries like Microsoft’s BGInfo.exe.
The malware exploits expired digital signatures and legitimate software to evade detection systems and compromise users’ sensitive credentials and browser cookies.
Vidar Stealer first emerged in 2018 as an evolution of the Arkei Trojan, evolving into a Malware-as-a-Service (MaaS) offering.
Its operators have leveraged diverse vectors such as malicious email attachments, malvertising, and even deceptive gaming platforms for dissemination.
A recent instance involved a supposed beta game on Steam called “PirateFi,” which secretly incorporated malware within its files.
Modified Legitimate Software as a Trojan Horse
One of the latest tactics detected involves a maliciously altered version of BGInfo.exe, a trusted tool from Microsoft Sysinternals used by IT professionals.
Distributed on February 25, 2025, this Trojanized BGInfo.exe retained the binary’s legitimate appearance but concealed Vidar Stealer within its code.
Security researchers identified this suspicious sample during routine threat-hunting, noting stark differences from the unaltered version.
Analysis revealed that the malicious file was over four times larger than the legitimate version, ballooning from the original 2.1 MB to 10.2 MB due to the inclusion of padded malware code.
The cryptographic hashes for the two files also differed significantly, another indicator of tampering.
While the binary retained an expired Microsoft signature, this lapse in digital certificate validity allowed attackers to pass off the compromised software as legitimate, bypassing common security checks.
Unpacking Vidar Stealer: Advanced Obfuscation and Payload Delivery
Upon execution of the modified BGInfo.exe, Vidar Stealer’s payload is loaded into memory via advanced runtime techniques such as VirtualAlloc for memory allocation and pointer redirection.
The malware hijacks critical system functions, such as RtlUserThreadStart, forcing the system to execute the malicious payload instead of the legitimate BGInfo routines.
Evidence of the payload includes traces of a binary named “input.exe,” laden with recognizable identifiers like the MZ and PE executable headers.
Once active, Vidar Stealer conducts its primary objectives: extracting browser cookies, saved credentials, cryptocurrency wallet data, and even session tokens from applications like Telegram, Discord, and Steam.
Files like “steam_tokens.txt” suggest a focus on session hijacking to bypass authentication mechanisms.
Additionally, the malware harvests credentials from cloud services, FTP tools (e.g., FileZilla), and password stores.
According to the Report, this incident underscores the persistent evolution of Vidar Stealer as threat actors refine their tactics to exploit trusted binaries and software tools.
The abuse of BGInfo.exe demonstrates how even seemingly benign applications can be weaponized to mask malicious intent.
While this particular variant exhibited no novel features beyond its delivery mechanism, its combination of stealth and effective credential theft serves as a cautionary tale for organizations relying on trusted third-party software.
To mitigate risks, cybersecurity teams are advised to:
- Cross-verify file signatures for irregularities such as expired or invalid certificates.
- Compare suspicious binaries with known legitimate ones to detect anomalies in file size or behavior.
- Investigate unexpected network activity related to credential exfiltration.
Vidar Stealer’s persistence highlights the need for constant vigilance, robust endpoint monitoring, and comprehensive system checks to identify subtle deviations and stop malware campaigns before they proliferate.
As the threat landscape evolves, enterprises must prioritize proactive detection to counter increasingly sophisticated attack vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
