Vidar Stealer Exploiting Various Platforms

Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2.

The link below is a post about a case where malicious behaviors were performed using Mastodon.

Even afterward, Vidar saw continuous version updates while actively being distributed. In the recent samples in circulation, various other platforms such as Steam and TikTok were used aside from Telegram and Mastodon. In this blog post, we aim to cover the details of these cases.

When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated. Threat actors write identifying characters and the C2 address in parts of this page.

When the malware is executed, it accesses the threat actor’s account page to search for the identifier string and find the C2 address. Then, it performs malicious behaviors while communicating with this C2 server.

Such public platform URLs are difficult to block with security solutions. Even if the threat actor’s C2 server is blocked, opening a new C2 server and editing the account page will allow all previously distributed malware to communicate with the new C2 server.

The exploited services share a common trait, which is the fact that it is comparatively easy to create an account on these platforms. The following is a page that was recently abused by Vidar.

Figure 1. Threat actor’s account pages

The last screenshot is the threat actor’s account on Ultimate Guitar. Multiple samples exploiting this platform have been collected, but unfortunately, we could not secure a screenshot with the actual C2 information. The C2 address connected during the collection was 116.202.2[.]1/1707.

Upon execution, the strings used in its behaviors are decrypted. While it is in a simple XOR format, there are multiple garbage codes that execute string-modifying functions with the dummy text “Lorum ipsum” as the argument. The strings and functions used differ slightly with each sample. This is deemed to be for the purpose of implementing changes to the read-only data area or making it difficult to find the string that identifies the malware on the process memory.

Figure 2. Dummy string modifying garbage code

The computer name and username are checked. If they are found to be “HAL9TH” and “JohnDoe” respectively, the malware ceases to function and shuts down immediately. These are the names known to be used by Windows Defender Emulator, and this code seems to serve the purpose of bypassing this feature.

Figure 3. Anti-emulation code

After the above preliminary processes are complete, the malware attempts to connect to the threat actor’s account page to download the C2 address. Samples that are currently in distribution include two types of platform account addresses and one actual C2 server URL each. These URLs are hard-coded in the binary and connection attempts are made in order until the actual C2 address is successfully found.

Figure 4. Example of a threat actor’s account page

The malware searches the account page’s source for the identifier. The string from the character after the identifier to the character before “|” becomes the C2, and the identifier is different for each sample and is hard-coded like the C2 address. The identifier in this sample is “disqo” and the C2 address is 142.132.236.84.

Figure 5. Hard-coded value within the malware

During the initial connection to the C2 server, the information (settings) data on malicious behaviors is received, then various library files needed for these behaviors are downloaded. In the past, each file was downloaded separately, but the recently-distributed samples mostly download these files in a compressed file format before unpacking them in the memory area and using them.

Figure 6. Library downloaded for malicious behaviors

The C2 response value includes the activation status of certain features, token values, the target directory, and file extensions. This shows that no drastic changes have been made to the past versions, so the previous blog post is sure to provide sufficient information regarding this. The hex value added in the middle of the function settings flag is a random token value assigned by the C2.

Figure 7. C2 response settings data

The behavior changes according to the C2’s settings response, but various information can be targeted for extortion, including browser data (account, password, history, cookies, etc.), cryptocurrency wallets, document files (file extensions defined by the threat actor), screenshot images, and system information.

After information collection is complete, the extorted information is compressed into a ZIP file, encoded in Base64, and transmitted to the C2 server. There is a slight difference from past versions in the process of sending the data to the C2 server.

While previous samples sent the compressed file data in plain text, recent samples send these after encoding them in Base64. Additionally, the HTTP data in transmission became simplified in the recent version. The version information of the malware was also omitted, and the malware’s version can only be identified by checking the information.txt file in the compressed file or by checking the hard-coded value in the binary.

There is also a newly-added feature, where the malware receives a random token value as a reply during the initial C2 connection, when the extorted information is sent, it transmits this value as a “token.” This is deemed to be for verifying the infected PC and the extorted information.

Figure 8. Example of the data transmitted to the C2 server (Top: past version / Bottom: recently distributed version)

Out of the data stated in the extorted information files, there was also a slight change to the date format and the method of creating the HWID. According to this file, the version of the recently distributed sample is 56.1.

Figure 9. Example of extorted system information (Left: past version / Right: recently distributed version)

As Vidar uses famous platforms as the intermediary C2, it has a long lifespan. A threat actor’s account created six months ago is still being maintained and continuously updated. Users must practice caution because Vidar is actively being distributed under the disguise of software or cracks.

AhnLab’s diagnosis for the malware as follows.

  • Trojan/Win.Injection.C5318441 (2022.12.01.02)
  • Infostealer/Win.Vidar.C5317169 (2022.12.13.01)
  • Infostealer/Win.Vidar.C533928 (2022.11.11.01)
  • Infostealer/Win.Vidar.C5308808 (2022.11.19.00)
  • Infostealer/Win.Generic.C5308804 (2022.11.19.00) and more

[IOC Info]

  • MD5
    0b9a0f37d63b0ed9ab9b662a25357962
    483ec112df6d0243dbb06a9414b0daf6
    256594282554abed80536e48f384d2e8
    a46f7096a07285c6c3fdfdf174c8a8b0
    ce1eb73f52efe56356ee21b9c4c4c6c4 and more
  • Threat Actor’s Account URL
    t.me/asifrazatg
    http://www.tiktok.com/@user6068972597711
    steamcommunity.com/profiles/76561199439929669
    mas.to/@ofadex
    http://www.ultimate-guitar.com/u/smbfupkuhrgc1
    steamcommunity.com/profiles/76561199441933804
    steamcommunity.com/profiles/76561199436777531
    c.im/@xiteb15011
    ioc.exchange/@xiteb15011
    c.im/@xinibin420
    nerdculture.de/@yixehi33
    mas.to/@zara99
    ioc.exchange/@zebra54
    nerdculture.de/@yoxhyp
    mas.to/@kyriazhs1975
    nerdculture.de/@tiaga00
    mastodon.online/@olegf9844g


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest

34 Comments
Inline Feedbacks
View all comments
trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] generated,” AhnLab Safety Emergency Response Heart (ASEC) disclosed in a technical evaluation published late final month. “Risk actors write figuring out characters and the C2 handle in elements of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] generated,” AhnLab Safety Emergency Reaction Heart (ASEC) disclosed in a technical research revealed past due ultimate month. “Risk actors write figuring out characters and the C2 cope with in […]

trackback

[…] AhnLab Safety Emergency Response Middle (ASEC) disclosed in a technical evaluation printed late final month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] a révélé AhnLab Security Emergency Response Center (ASEC) dans une analyse technique. publié tard le mois dernier. « Les acteurs de la menace écrivent des caractères d’identification […]

trackback

[…] puede acceder», reveló AhnLab Security Emergency Response Center (ASEC) en un análisis técnico. publicado a finales del mes pasado. «Los actores de amenazas escriben caracteres de identificación y la […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] generated,” AhnLab Safety Emergency Response Heart (ASEC) disclosed in a technical evaluation published late final month. “Risk actors write figuring out characters and the C2 deal with in […]

trackback

[…] mavens discovered an attacker-controlled account at the Final Guitar platform and detailed its […]

trackback

[…] hesap oluşturduğunda, herkesin erişebileceği benzersiz bir hesap sayfası oluşturulur.” yayınlanan geçen ayın sonlarında “Tehdit aktörleri, bu sayfanın bazı bölümlerinde tanımlayıcı […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. “Threat actors write identifying characters and the C2 address in parts of […]

trackback

[…] saja dibuat,” ungkap AhnLab Security Emergency Response Center (ASEC) dalam analisis teknis. diterbitkan akhir bulan lalu. “Aktor ancaman menulis karakter pengenal dan alamat C2 di bagian halaman […]

trackback

[…] АПТ29 (он же Уютный Медведь) Шатак (он же TA551) и Экзотическая лилия (он же Projector Libra), который связан с загрузчиком […]

trackback

[…] как Russophone. АПТ29 (он же Уютный Медведь) Шатак (он же TA551) и Экзотическая лилия (он же Projector Libra), который связан с загрузчиком […]

trackback

[…] АПТ29 (он же уютный мишка) Шатак (он же TA551) и Экзотическая лилия (он же Projector Libra), который связан с загрузчиком […]