Vidar Stealer

This is going to be controversial.

Vidar Stealer made a 180 degree change in their C2 traffic. This is the official statement from their panel both in Russian (original) and English (Translated)

6.4 — Большое обновление софтовой части Переписана полностью вся кодовая часть софта. Теперь отправка лога осуществляется частями(пофайлово). За счёт пофайловой отправки улучшили отстук порядка +15-20 процентов. Улучшили рантайм. Улучшили валидность гугла. Улучшили определение дубликатов (добавили новый формат hwid, учитывающий не только железо, но и учетную запись системы). Улучшили граббер файлов, так же добавили новые настройки сбора файлов. Полностью переработали поддерживаемые браузеры, кошельки и плагины - теперь мы можем добавлять их без ребилда (если мы добавили кошелек в обнове, то и на старом билде начиная с этой обновы он будет собираться). Улучшили сбор информации о системе. Версии билда - формат .dll и dll внутри билда - временно не доступны они будут доработаны в самое ближайшее время. В ближайшее время перейдем полностью на отправку через https протокол. 20:36 06-11-2023

6.4 — Major update of the software The entire code part of the software has been completely rewritten. Now the log is sent in parts (by file). Due to file-by-file sending, the response rate was improved by about +15-20 percent. Improved runtime. Improved Google validity. Improved detection of duplicates (added a new hwid format that takes into account not only the hardware, but also the system account). The file grabber has been improved and new file collection settings have been added. We have completely redesigned supported browsers, wallets and plugins - now we can add them without rebuilding (if we added a wallet in an update, then it will be built on the old build starting with this update). Improved collection of information about the system. Build versions - .dll format and dll inside the build - are temporarily not available; they will be finalized in the very near future. In the near future we will switch completely to sending via the https protocol. 20:36 06-11-2023

Security researcher @crep1x also shared this changes
crep1x on X: “Major update in #Vidar Stealer C2 communications, which exactly copy those of #Stealc In brief: - download legit third party DLLs (instead of a ZIP file) - get malware configurations (for browsers, crypto and grabber) - exfiltrate harvested data file by file - use of DDR :arrow_down: https://t.co/ycSpwxZlLF” / X (twitter.com)

As you would notice, traffic is a copycat of StealC, but this is not StealC this is Vidar. Please note the use of DDR as usual on Vidar Stealer.

Detonation is here.
Analysis b3mZSys16Tknx1WiONGW_Htk.exe (MD5: F61D67421AEBD15A4E3FD34BA7609B08) Malicious activity - Interactive analysis ANY.RUN

Any thoughts on how to start to distinguish both long-known stealers?
We had some controversial thoughts on the Mystic vs StealC before

1 Like

Thanks for bringing this up! As you mentioned, it has come up before with the stealers begin to share code or styles and they become difficult to distinguish using just network traffic. In this case we will probably just add Vidar to the msg of signatures and it will end up being Stealc/VIdar Style Activity or something similar.

JT

2 Likes

Hi, the promise to use https didn’t have to wait long. Here are links to tasks and descriptions of TLS certificates on these servers. ASN - Hetzner Online GmbH - AS24940
Samples:
Analysis https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1F2G4sruvLsjR1_GMA1lXC0YkQhXMVmy1 Malicious activity - Interactive analysis ANY.RUN - 49.12.119.148
Analysis Soft[1].exe (MD5: 7918013AE55DE62F5E108342A464864C) Malicious activity - Interactive analysis ANY.RUN - 78.47.61.97
Analysis putty.exe (MD5: E7637F78F9D76C02E1A8D13FD53DE0D4) Malicious activity - Interactive analysis ANY.RUN - 116.203.7.211
Analysis 0161cdb73a523464e8caeea489bc0eef (MD5: 0161CDB73A523464E8CAEEA489BC0EEF) Malicious activity - Interactive analysis ANY.RUN - 116.202.189.41
Cert:

Connection: - TLSv12 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Subject: CN=116.203.7.211,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX
Issuer:  CN=116.203.7.211,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX
Serial:  1C15F09D602C845ABE041853614A6FE4EF6C4129
Valid Date: 2023-11-13 00:10:10.000 - 2033-11-10 00:10:10.000
Public key: rsa - rsaEncryption - 4096 - sha256WithRSAEncryption
DNS/IP:  -
Validation status:  self signed certificate

Subject: CN=116.202.189.41,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX
Issuer:  CN=116.202.189.41,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX

Subject: CN=78.47.61.97,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX
Issuer:  CN=78.47.61.97,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX

Subject: CN=49.12.119.148,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX
Issuer:  CN=49.12.119.148,OU=privateIP,O=StaticIP,L=NY,ST=NY,C=XX

The Rule:

alert tls any any -> any any (msg:"ET MALWARE [ANY.RUN] Win32/Stealc/Vidar Stealer TLS Certificate";
flow:established,from_server;
tls.cert_subject;
content:"CN="; 
pcre: "/^(?:25[0-5]|2[0-4]\d|[0-1]?\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d{1,2})){3}$/R";
content:"OU=privateIP";
content:"O=StaticIP";
content:"L=NY";
content:"ST=NY";
content:"C=XX"; 
classtype: trojan-activity;
reference: md5,8db522805e565ad411c8b713dd5558a1;
reference: url,app.any.run/tasks/f1d0c5fd-5e4e-49cc-984e-751cf7ea56fc;
sid: 1; rev: 1;)

Best regards, Jane :slight_smile:

1 Like

Awesome find! We got this in today’s release. Have a great weekend!

2049253 - ET MALWARE [ANY.RUN] Stealc/Vidar Stealer TLS Certificate

2 Likes

Hi, can I please add a link to this discussion to the rule 2049253?

reference:url,community.emergingthreats.net/t/vidar-stealern/;

Thanks! Updated signatures will go out today.

JT

1 Like