Vidar Malware Hides as Microsoft Tool to Steal Passwords and Browser Data

The infamous Vidar Stealer malware has returned with a dangerous new trick—pretending to be Microsoft’s BGInfo.exe, a tool trusted by IT professionals. This new version is designed to silently steal browser cookies, stored passwords, and crypto wallet data.

Fake BGInfo.exe – A Trusted Tool Turned Threat
Vidar now disguises itself as BGInfo.exe, a legitimate system tool from Microsoft Sysinternals Suite.

  • The original BGInfo file is 2.1 MB, but the fake version is 10.2 MB—a red flag.
  • It copies version numbers, creation dates, and developer details to look authentic.
  • The malware avoids detection by mimicking trusted software used by IT administrators.

Advanced Malware Behavior
Once run, the fake BGInfo doesn't perform its usual functions like showing system info on the desktop. Instead:

  • It uses VirtualAlloc to create memory space for its malicious code.
  • It hijacks normal execution flow using Windows API functions like RtlUserThreadStart.
  • The malware secretly runs Vidar’s payload to steal sensitive information.

What Vidar Stealer Targets:

  • Browser-stored credentials (usernames & passwords)
  • Cookies & session tokens from platforms like Discord, AWS, and Steam
  • Cryptocurrency wallets like BraveWallet & Monero
  • Cloud credentials from tools like FileZilla and Microsoft Azure

Signs of Compromise:

  • BGInfo not updating the desktop wallpaper
  • Unusual process memory behavior
  • Large executable file size and expired digital signature
  • Debugging strings related to Telegram, Steam, and crypto wallets

Techniques Used by Attackers:
Vidar Stealer uses several stealth tactics recognized in the MITRE ATT&CK framework:

  • Masquerading (T1036): Pretending to be legitimate software
  • Binary Padding (T1027): Inflating file size to hide malicious code
  • Thread Hijacking (T1055): Redirecting execution to its malware code

Vidar Stealer's latest deception proves that even trusted tools can be turned into powerful weapons by cybercriminals. Its ability to hide in plain sight, hijack system execution, and steal highly sensitive data is a wake-up call for organizations to stay proactive, vigilant, and well-protected.

Net Protector Cyber Security encourages all users to practice safe computing, use robust endpoint protection, and stay informed about evolving threats.