Rig Exploit Kit – Vidar Behavioral Analysis

Today I wanted to do a quick behavioral analysis of Vidar. This particular piece of malware I downloaded from https://www.malware-traffic-analysis.net/2019/01/10/index2.html and is part of the Hookads campaign that is using the Rig Exploit Kit to push Vidar. So lets get started…

So what I will be doing is fairly straight forward. I will first setup my Remnux VM by running fakedns, inetsim and wireshark. On my Windows machine I will run Process Hacker and Procmon. I will then kick off the executable, let it run for a few minutes or until it deletes itself, to ensure I can capture most of its functionality. So first, we will take a look at its network traffic.

screen shot 2019-01-13 at 8.58.20 am

screen shot 2019-01-13 at 9.37.05 am

So it is trying to reach out to tepingost[.]ug and download the .dll files. It will drop them in the ProgramData folder and they will delete themselves when the executable deletes itself. The .dll’s you see here are simulated through inetsim. I am not completely sure what the .dll files are but, that could be another good exercise to see what their functionality reveals. It also appears to go out ip-api.com.

screen shot 2019-01-13 at 9.00.12 am

It creates a randomly named folder inside of the ProgramData folder as well where it gets an inventory of your system, copies any passwords and looks to also collect Outlook information. Here is a part of the ProcDot .png.

screen shot 2019-01-13 at 9.24.53 am

Not pictured here but during my debugging I was able to set breakpoints on CopyFileA and ReadFile to see what it was copying and reading. Unfortunately I forgot to take screenshots and now I am unable to get it to run correctly in my debugger. So I will give you a quick rundown.

It created information.txt, which inventoried your system, password.txt, which will collect your passwords and outlook.txt which would probably collect Outlook information. It will then zip it all up and send it out.

Be careful with the URL tepingost[.]ug because it appears to still be active. I tested it out by using wget to manually collect all of the .dll files it referred to in my ProgramData folder.  So I hope this was useful and until next time…

 

Happy Hunting,

Marcus

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s