Hyas Blog | StealC & Vidar Malware Campaign Identified
Weekly Threat Intelligence Report
Date: June 24, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
Malware developers will use all sorts of techniques to obfuscate their C2 location and keep security analysts from being able to understand the operation of their malware. One common technique is to have the malware communicate with a popular online service, such as Pastebin, where the malware will contact a URL that responds with the IP address of the C2 server. This type of design keeps the C2 address out of the malware, and allows the C2 operator to change or remove the C2 destination as needed. If the right service is chosen, then this request might go unnoticed because it’s seen as regular traffic.
We detonated a malware sample on Windows 7 that was identified as containing both StealC and Vidar, and we found the same technique being used on the gaming platform Steam. In this case, the malware requests the page of a specific user account. The steam user account name contains the IP address of a component of the C2 infrastructure. Steam even shows a history of the username, so we can see previous IPs that have existed in this field.
Steam is an interesting choice as a vector for retrieving a C2 destination because it’s a gaming platform that isn’t typically used on corporate infrastructure, except perhaps in gaming companies. It is commonly used in residential communications however. A more traditional choice would be a service that is typically seen within an organization's network traffic, like a Microsoft service.
Although a direct relationship has not been confirmed, Vidar is a stealer known to be used by Scattered Spider, aka UNC3944. They are a criminal organization responsible for many high profile victims, including MGM Grand, Caesars, Snowflake, LastPass, Apple, Walmart, and Zendesk. Recently the head of the organization was arrested by the FBI, but their operations continue.
Learn more about the HYAS Insight threat intelligence solution.
Malware Sample Information
MD5: 8cfe70cf4f35c7f9b4ddba327d44c1f8
https://tria.ge/240617-fvryqazelj/behavioral1
https://steamcommunity.com/profiles/76561199699680841
(Image: Malicious usage of a Steam profile that contains the C2 location)
65.109.240.138 (Currently offline)
ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940
65.109.243.78 (Currently offline)
ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940
95.216.142.162
ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940
With this address we can see there is a single port open, 443, which has a banner that contains a recent date/time stamp. We can attempt to pivot off of this potentially unique banner using free accounts with Shodan or Censys.
With Censys we can take that banner in hex (to avoid problems with formatting) and create a custom search query to look for matches on that ASN.
Censys Query:
(services.banner_hex="485454502f312e3120333032204d6f7665642054656d706f726172696c790d0a5365727665723a206e67696e780d0a446174653a20203c52454441435445443e0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a203133380d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a4c6f636174696f6e3a2068747470733a2f2f676f6f676c652e636f6d0d0a") and autonomous_system.name=`HETZNER-AS`
Link to the above search.
From our search, we end up with a list of sixteen IP addresses on this ASN that present the same service banner and are mostly-if-not-entirely Vidar C2.
Vidar C2 IOCs:
95.216.165.53
116.203.13.231
195.201.47.189
116.203.166.11
116.203.167.34
116.203.4.20
49.13.32.109
162.55.53.18
195.201.248.182
95.216.142.162
95.216.182.224
78.47.205.62
116.203.13.42
116.203.13.51
195.201.46.4
That same malware also contacted Telegram which is using a similar technique to host a different address.
https://t.me/memve4erin
https://tria.ge/240617-fvryqazelj/behavioral2
162.55.53.18:9000
ISP:Hetzner Online GmbH
ASN:AS24940
Country: Germany
5.42.67.8
ISP: LetHost LLC
Location: Russia
ASN: AS210352
In our detonation, after Telegram was contacted, another IP was contacted, which may have come from a prior entry in the Telegram field (unconfirmed, no historical record for this field). HYAS Insight, our threat intelligence solution, was able to provide some recent information about C2 usage on this server. This login screen is for Risepro malware, however, so it’s possible that multiple actors or campaigns are using this same server. It’s not uncommon for a malicious server to be used in such a way.
Date: 2024/06/15 19:48:21 UTC (Most recent data)
C2 Admin URL: http://5.42.67.8:8081/
Actor IP: 109.95.78.5
Geo: 55.434553 36.696945
Device User Agent: Mozilla/5.0 (Linux; Android 14; 23021RAA2Y Build/UKQ1.230917.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/125.0.6422.165 Mobile Safari/537.36
(Image: Login screen of Risepro C2 hosted on server)
(Image: Actor who logged into C2 server’s GPS location, southwest of Moscow)
Want to see some malware detonated? View our webinar on-demand.
Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X
Read past reports:
Tracking an Active Remcos Malware Campaign
Revealing LOTL Techniques Used by An Active Remcos Malware Campaign
Agent Tesla Unmasked: Revealing Interrelated Cyber Campaigns
Risepro Malware Campaign On the Rise
Sign up for the free HYAS Insight Intel Feed
Learn More About HYAS Insight
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
More from HYAS Labs
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.
Five Proven Techniques to Optimize Threat Intelligence
Leveraging ASNs and Pivoting to Uncover Malware Campaigns
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.