Vidar Stealer Picks Up Steam!

Tutorials, Tips & Tricks
,
1

Emerging Threats has observed an uptick in Vidar Stealer malware that abuses Steam user profiles to distribute C2 server configuration. Vidar Stealer is an information stealer that is either a fork or related to the Arkei information stealer. According to Checkpoint Vidar has become one of the top ten most prevalent malware families following a series of fake Zoom campaigns. Vidar’s goal is usually to steal sensitive information from infected hosts such as digital wallets and web browser information.

When the sample first executes it begins to profile the machine. In one of the first steps it queries api[.]2ip[.]ua to acquire the victim host’s public IP address.

image5


The sample then sends a request to a telegram account to retrieve the initial C2 server address. The malware uses the following static user agent for this request.

Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0



image7
image71394×116 10 KB

Example GET Request



image14
image14810×790 31.1 KB

Telegram C2 Account


image6
image61186×90 10.3 KB

C2 Format '<random name> hxxp://<ip_address>|'



Once the C2 IP address is retrieved the sample performs a check-in and receives instructions on what data should be stolen.

image1
image11864×386 66.8 KB

C2 Instructions in Response



Once the instructions are received, the client will download a .zip containing several benign .dll’s that are used to harvest data from the host. Common names for the archive are:

  • Pack.zip
  • Upgrade.zip
  • update.zip

image10


image8
image81104×518 29.2 KB

Contents of pack.zip



After the resources are downloaded, Vidar creates a .zip containing the stolen data which is then base64 encoded and exfiltrated via a POST request.

image9
image91674×1006 160 KB

Exfiltration Traffic


image4
image41999×415 194 KB

Base64 Decoded Traffic Reveals Stolen Firefox History


image2

Contents Of Exfiltrated .zip


image11
image111280×720 64.1 KB

Screen Shot Of The Victim Desktop Is Taken During Execution And Exfiltrated


In another sample a steam profile can be seen in the memory during execution. Upon reviewing the profile, there is another C2 address which is used for further exfiltration.

image13
image131024×136 8.6 KB


Screenshot 2023-01-18 at 15.37.20
Screenshot 2023-01-18 at 15.37.201234×620 92.3 KB

Steam Profile With C2 Server Address In Username


image3
image31524×160 27.5 KB

Additional Checkin And Exfil To C2 Server From Steam Profile

Here are a few steam profiles that have been used to host C2 server config.

  • Profile: hxxps://steamcommunity.com/profiles/76561199469016299
  • C2: hxxp://78.47.225[.]61|

  • Profile: hxxps://steamcommunity.com/profiles/76561199469677637
  • C2: hxxp://78.47.172[.]233|

  • Profile: hxxps://steamcommunity.com/profiles/76561199443972360
  • C2: hxxp://78.46.238[.]118|

  • Profile: hxxps://steamcommunity.com/profiles/76561199446766594
  • C2: hxxp://78.47.233[.]145|

  • Profile: hxxps://steamcommunity.com/profiles/76561199445991535
  • C2: hxxp://142.132.169[.]161|

  • Profile: hxxps://steamcommunity.com/profiles/76561199441933804
  • C2: hxxp://142.132.236[.]84|

After contacting Steam regarding this C2 distribution method, they’ve concluded that it is important for users to be able to share information via their profile and will not be taking action. As of 2023/01/18 all of the above steam profiles are still active after reporting the accounts for abuse.


References
Vidar Trojan Analysis, Malware Overview by ANY.RUN
September 2022’s Most Wanted Malware: Formbook on Top While Vidar ‘Zooms’ Seven Places - Check Point Blog

IOCs

## C2 IP Adresses ##
5.75.182.6
78.47.225.61
78.47.172.233
78.47.233.145
78.46.238.118
91.107.158.249
142.132.169.161

## Files (MD5) ##
40d5e0f066caa3b5cdb4f97a6adf7bac
E8b5ced1c7421ee80a25afe48e816a08
Deb6e2ba0b5da298a176f135d0dbb902
99ba29aa0086b1b1ac838d206b49715c

## Telegram Accounts ##
https://t.me/tgdatapacks 
https://t.me/jetbim

## Steam Profiles ##
https://steamcommunity.com/profiles/76561199469016299
https://steamcommunity.com/profiles/76561199469677637
https://steamcommunity.com/profiles/76561199443972360
https://steamcommunity.com/profiles/76561199446766594
https://steamcommunity.com/profiles/76561199445991535
https://steamcommunity.com/profiles/76561199441933804


ET Vidar Signatures

ET MALWARE Arkei/Vidar/Mars Stealer Variant - 2036316
ET MALWARE Arkei/Vidar/Mars Stealer Variant CnC checkin commands - 2038523
ET MALWARE Arkei/Vidar/Mars Stealer Variant Data Exfiltration Attempt - 2038525
ET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request - 2038524
ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI - 2035873
ET MALWARE Possible Vidar Stealer C2 Config In Steam Profile - 2043334
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil - 2029236
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern - 2034813
ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved - 2035911
ET MALWARE Vidar/Arkei Stealer Client Data Upload - 2025431
ET MALWARE Vidar Stealer CnC Domain in DNS Lookup - 2035872
ET MALWARE Vidar Stealer - FaceIt Checkin Response - 2033066
ET MALWARE Vidar Stealer IP Address in DNS Query Response - 2043248
ET MALWARE Vidar Stealer Payload Delivery Domain (audacitya .org) in DNS Lookup - 2040140
ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET) - 2036667
ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil - 2033163
ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download - 2036654
ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC Response - 2853039
ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed - 2853038
ETPRO MALWARE Arkei/Vidar Stealer Variant - Telegram Mirror Checkin - 2851826
ETPRO MALWARE Vidar/Arkei/Oski Variant Stealer POSTing Data to CnC - 2842708
ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Retrieving Payload - 2841407
ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information - 2841237
ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information M2 - 2841406
1 Like
2

Here is an updated list of active Steam Profiles used to deliver C2 profiles to victim hosts.

hxxps://steamcommunity[.]com/profiles/76561199508624021
hxxps://steamcommunity[.]com/profiles/76561199235044780
hxxps://steamcommunity[.]com/profiles/76561199510444991
hxxps://steamcommunity[.]com/profiles/76561199536605936
hxxps://steamcommunity[.]com/profiles/76561199541261200
hxxps://steamcommunity[.]com/profiles/76561199459255837
hxxps://steamcommunity[.]com/profiles/76561199492257783
hxxps://steamcommunity[.]com/profiles/76561199472266392
hxxps://steamcommunity[.]com/profiles/76561199159550234
hxxps://steamcommunity[.]com/profiles/76561199467421923
hxxps://steamcommunity[.]com/profiles/76561199486572327
hxxps://steamcommunity[.]com/profiles/76561199494593681
hxxps://steamcommunity[.]com/profiles/76561199545993403
hxxps://steamcommunity[.]com/profiles/76561199499188534
hxxps://steamcommunity[.]com/profiles/76561199532186526
hxxps://steamcommunity[.]com/profiles/76561199482248283
hxxps://steamcommunity[.]com/profiles/76561199476091435
hxxps://steamcommunity[.]com/profiles/76561199469016299
hxxps://steamcommunity[.]com/profiles/76561199469677637
hxxps://steamcommunity[.]com/profiles/76561199529242058
hxxps://steamcommunity[.]com/profiles/76561199446766594
hxxps://steamcommunity[.]com/profiles/76561199443972360
hxxps://steamcommunity[.]com/profiles/76561199486572327
hxxps://steamcommunity[.]com/profiles/76561199557479327
hxxps://steamcommunity[.]com/profiles/76561199473792257
hxxps://steamcommunity[.]com/profiles/76561199560322242
hxxps://steamcommunity[.]com/profiles/76561199553369541
hxxps://steamcommunity[.]com/profiles/76561199489580435
hxxps://steamcommunity[.]com/id/Heather15199068180
hxxps://steamcommunity[.]com/profiles/76561199471222742
hxxps://steamcommunity[.]com/profiles/76561199473792257
hxxps://steamcommunity[.]com/profiles/76561199439929669
hxxps://steamcommunity[.]com/profiles/76561199471266194
hxxps://steamcommunity[.]com/profiles/76561199472399815
hxxps://steamcommunity[.]com/profiles/76561199486572327
hxxps://steamcommunity[.]com/profiles/76561199480821604
hxxps://steamcommunity[.]com/profiles/76561199472266392
hxxps://steamcommunity[.]com/profiles/76561199263069598
hxxps://steamcommunity[.]com/profiles/76561199480821604
hxxps://steamcommunity[.]com/profiles/76561199476091435
hxxps://steamcommunity[.]com/profiles/76561199436777531
hxxps://steamcommunity[.]com/profiles/76561199482248283
hxxps://steamcommunity[.]com/profiles/76561199474840123
hxxps://steamcommunity[.]com/profiles/76561199499188534
hxxps://steamcommunity[.]com/profiles/76561199541261200
hxxps://steamcommunity[.]com/profiles/76561199532186526
hxxps://steamcommunity[.]com/profiles/76561199544211655
hxxps://steamcommunity[.]com/profiles/76561199545993403
hxxps://steamcommunity[.]com/profiles/76561199536605936
hxxps://steamcommunity[.]com/profiles/76561199439929669
hxxps://steamcommunity[.]com/profiles/76561199494593681
hxxps://steamcommunity[.]com/profiles/76561199441933804
hxxps://steamcommunity[.]com/profiles/76561199439725733
hxxps://steamcommunity[.]com/profiles/76561199563297648
hxxps://steamcommunity[.]com/profiles/76561199441999914
hxxps://steamcommunity[.]com/profiles/76561199458928097
hxxps://steamcommunity[.]com/profiles/76561198982268531
hxxps://steamcommunity[.]com/profiles/76561199478503353
hxxps://steamcommunity[.]com/profiles/76561199497218285
hxxps://steamcommunity[.]com/profiles/76561199467421923
hxxps://steamcommunity[.]com/profiles/76561199480821604
hxxps://steamcommunity[.]com/profiles/76561199472399815
hxxps://steamcommunity[.]com/profiles/76561199494593681
hxxps://steamcommunity[.]com/profiles/76561199263069598
hxxps://steamcommunity[.]com/profiles/76561199472266392
hxxps://steamcommunity[.]com/profiles/76561199511129510
hxxps://steamcommunity[.]com/profiles/76561199523054520
hxxps://steamcommunity[.]com/profiles/76561199510444991
hxxps://steamcommunity[.]com/profiles/76561199514261168
hxxps://steamcommunity[.]com/profiles/76561199443972360
hxxps://steamcommunity[.]com/profiles/76561199550790047
hxxps://steamcommunity[.]com/profiles/76561199520592470
hxxps://steamcommunity[.]com/profiles/76561199508624021
hxxps://steamcommunity[.]com/profiles/76561199511129510
hxxps://steamcommunity[.]com/profiles/76561199523054520
hxxps://steamcommunity[.]com/profiles/76561199560322242
hxxps://steamcommunity[.]com/profiles/76561199544211655
hxxps://steamcommunity[.]com/profiles/76561199474840123
hxxps://steamcommunity[.]com/profiles/76561199441933804
hxxps://steamcommunity[.]com/profiles/76561199492257783
hxxps://steamcommunity[.]com/profiles/76561199446766594
hxxps://steamcommunity[.]com/profiles/76561199476780307
hxxps://steamcommunity[.]com/profiles/76561199514261168
hxxps://steamcommunity[.]com/profiles/76561199557479327
hxxps://steamcommunity[.]com/profiles/76561199560322242
hxxps://steamcommunity[.]com/profiles/76561199553369541
hxxps://steamcommunity[.]com/profiles/76561199476091435
hxxps://steamcommunity[.]com/profiles/76561199572637185
hxxps://steamcommunity[.]com/profiles/76561199550790047
hxxps://steamcommunity[.]com/profiles/76561199548518734
hxxps://steamcommunity[.]com/profiles/76561199471266194
hxxps://steamcommunity[.]com/profiles/76561199555780195
hxxps://steamcommunity[.]com/profiles/76561199439929669
hxxps://steamcommunity[.]com/profiles/76561199476091435
hxxps://steamcommunity[.]com/profiles/76561199520592470
hxxps://steamcommunity[.]com/profiles/76561199497218285
hxxps://steamcommunity[.]com/profiles/76561199235044780
hxxps://steamcommunity[.]com/profiles/76561199441933804
hxxps://steamcommunity[.]com/profiles/76561199159550234
3 Likes