Emerging Threats has observed an uptick in Vidar Stealer malware that abuses Steam user profiles to distribute C2 server configuration. Vidar Stealer is an information stealer that is either a fork or related to the Arkei information stealer. According to Checkpoint Vidar has become one of the top ten most prevalent malware families following a series of fake Zoom campaigns. Vidar’s goal is usually to steal sensitive information from infected hosts such as digital wallets and web browser information.
When the sample first executes it begins to profile the machine. In one of the first steps it queries
api[.]2ip[.]ua to acquire the victim host’s public IP address.
Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
Example GET Request
Telegram C2 Account
C2 Format '<random name> hxxp://<ip_address>|'
Once the C2 IP address is retrieved the sample performs a check-in and receives instructions on what data should be stolen.
C2 Instructions in Response
Once the instructions are received, the client will download a .zip containing several benign .dll’s that are used to harvest data from the host. Common names for the archive are:
Contents of pack.zip
After the resources are downloaded, Vidar creates a .zip containing the stolen data which is then base64 encoded and exfiltrated via a POST request.
Base64 Decoded Traffic Reveals Stolen Firefox History
Contents Of Exfiltrated .zip
Screen Shot Of The Victim Desktop Is Taken During Execution And Exfiltrated
In another sample a steam profile can be seen in the memory during execution. Upon reviewing the profile, there is another C2 address which is used for further exfiltration.
Steam Profile With C2 Server Address In Username
Additional Checkin And Exfil To C2 Server From Steam Profile
Here are a few steam profiles that have been used to host C2 server config.
- Profile: hxxps://steamcommunity.com/profiles/76561199469016299
- C2: hxxp://78.47.225[.]61|
- Profile: hxxps://steamcommunity.com/profiles/76561199469677637
- C2: hxxp://78.47.172[.]233|
- Profile: hxxps://steamcommunity.com/profiles/76561199443972360
- C2: hxxp://78.46.238[.]118|
- Profile: hxxps://steamcommunity.com/profiles/76561199446766594
- C2: hxxp://78.47.233[.]145|
- Profile: hxxps://steamcommunity.com/profiles/76561199445991535
- C2: hxxp://142.132.169[.]161|
- Profile: hxxps://steamcommunity.com/profiles/76561199441933804
- C2: hxxp://142.132.236[.]84|
After contacting Steam regarding this C2 distribution method, they’ve concluded that it is important for users to be able to share information via their profile and will not be taking action. As of 2023/01/18 all of the above steam profiles are still active after reporting the accounts for abuse.
Vidar Trojan Analysis, Malware Overview by ANY.RUN
September 2022’s Most Wanted Malware: Formbook on Top While Vidar ‘Zooms’ Seven Places - Check Point Software
## C2 IP Adresses ## 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 ## Files (MD5) ## 40d5e0f066caa3b5cdb4f97a6adf7bac E8b5ced1c7421ee80a25afe48e816a08 Deb6e2ba0b5da298a176f135d0dbb902 99ba29aa0086b1b1ac838d206b49715c ## Telegram Accounts ## https://t.me/tgdatapacks https://t.me/jetbim ## Steam Profiles ## https://steamcommunity.com/profiles/76561199469016299 https://steamcommunity.com/profiles/76561199469677637 https://steamcommunity.com/profiles/76561199443972360 https://steamcommunity.com/profiles/76561199446766594 https://steamcommunity.com/profiles/76561199445991535 https://steamcommunity.com/profiles/76561199441933804
ET Vidar Signatures
ET MALWARE Arkei/Vidar/Mars Stealer Variant - 2036316 ET MALWARE Arkei/Vidar/Mars Stealer Variant CnC checkin commands - 2038523 ET MALWARE Arkei/Vidar/Mars Stealer Variant Data Exfiltration Attempt - 2038525 ET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request - 2038524 ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI - 2035873 ET MALWARE Possible Vidar Stealer C2 Config In Steam Profile - 2043334 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil - 2029236 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern - 2034813 ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved - 2035911 ET MALWARE Vidar/Arkei Stealer Client Data Upload - 2025431 ET MALWARE Vidar Stealer CnC Domain in DNS Lookup - 2035872 ET MALWARE Vidar Stealer - FaceIt Checkin Response - 2033066 ET MALWARE Vidar Stealer IP Address in DNS Query Response - 2043248 ET MALWARE Vidar Stealer Payload Delivery Domain (audacitya .org) in DNS Lookup - 2040140 ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET) - 2036667 ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil - 2033163 ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download - 2036654 ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC Response - 2853039 ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed - 2853038 ETPRO MALWARE Arkei/Vidar Stealer Variant - Telegram Mirror Checkin - 2851826 ETPRO MALWARE Vidar/Arkei/Oski Variant Stealer POSTing Data to CnC - 2842708 ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Retrieving Payload - 2841407 ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information - 2841237 ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information M2 - 2841406