Vidar Info-Stealer Abusing Game Platform

The ASEC analysis team has recently found out that the Vidar info-stealer malware is abusing a game matching program named Faceit to create C&C server URL. Vidar is malware that has been steadily distributed from the past disguised as spam mail, PUP, and KMSAuto authentication tool.

Before it performs info-stealing activities, it connects to C&C server to receive commands and download additional DLL files to collect user information. In the past, the malware simply connected to C&C server and received commands and additional files like other malware. Yet the recent Vidar abuses online gaming platforms to actually create C&C server.

Faceit is a platform which supports game matching for online game users. It supports various online games such as PLAYERUNKNOWN’S BATTLEGROUNDS, DOTA 2, and Counter Strike: Global Offensive.

List of games supported by Faceit

As for Vidar abusing the platform, it first creates an API URL for faceit.com before communicating with the C&C server. The URL created by the routine shown below is as follows: ‘sslamlssa’ is the attacker’s Faceit ID.

– hxxps://api.faceit[.]com/core/v1/nicknames/sslamlssa

Routine for creating C&C URL

When Vidar requests HTTP GET for the URL shown above, it receives the json format data from faceit.com. The malware parses the ‘about’ part in the data, which is the actual URL for the C&C server.

– hxxp://188.34.193[.]205

Data received from faceit.com
API result for the malicious user

When logged in to faceit.com, the malware’s C&C server address is shown in the ABOUT part of the profile page of the user ‘sslamlssa’.

Malicious user’s profile

If the attacker edits the About part and enters another address, the Vidar info-stealer will connect to the changed C&C server and continue to perform malicious activities. If Faceit’s attacker account is not blocked, the attacker can repeatedly edit the C&C server to make the same malware connect to different C&C servers. It is likely that the attacker is using the method to bypass network detection for the C&C URL.

Vidar connects to the actual C&C servers established and receives DLL files needed for commands and info-stealing, and ultimately sends the stolen information to the C&C server. See the data sent below, which shows that Vidar’s version is v38.6.

Vidar’s network behavior

When a suspicious-looking email arrives, users should not open the attachment file, try to use a genuine software at all times, and refrain from using suspicious websites and P2P. Also, update V3 to the latest version so that malware infection can be prevented.

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]
– Trojan/Win.Generic.C4452995 (2021.05.06.01)

[Behavior Detection]
– Malware/MDP.Behavior.M1965
– Malware/MDP.Inject.M3034
– Malware/MDP.Behavior.M3108

[IOC]
File

5a9c15ad92f14ce0b36726ccd4eb4ef7

C&C
– hxxps://api.faceit[.]com/core/v1/nicknames/sslamlssa
– hxxp://188.34.193[.]205

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments