Blog

Inside the SOC

A Surge of Vidar: Network-based details of a prolific info-stealer

A Surge of Vidar: Network-based details of a prolific info-stealer Default blog imageDefault blog image
10
Feb 2023
10
Feb 2023

In the latter half of 2022, Darktrace observed a rise in Vidar Stealer infections across its client base. These infections consisted in a predictable series of network behaviors, including usage of certain social media platforms for the retrieval of Command and Control (C2) information and usage of certain URI patterns in C2 communications. In the blog post, we will provide details of the pattern of network activity observed in these Vidar Stealer infections, along with details of Darktrace’s coverage of the activity. 

Background on Vidar Stealer

Vidar Stealer, first identified in 2018, is an info-stealer capable of obtaining and then exfiltrating sensitive data from users’ devices. This data includes banking details, saved passwords, IP addresses, browser history, login credentials, and crypto-wallet data [1]. The info-stealer, which is typically delivered via malicious spam emails, cracked software websites, malicious ads, and websites impersonating legitimate brands, is known to access profiles on social media platforms once it is running on a user’s device. The info-stealer does this to retrieve the IP address of its Command and Control (C2) server. After retrieving its main C2 address, the info-stealer, like many other info-stealers, is known to download several third-party Dynamic Link Libraries (DLLs) which it uses to gain access to sensitive data saved on the infected device. The info-stealer then bundles the sensitive data which it obtains and sends it back to the C2 server.  

Details of Attack Chain 

In the second half of 2022, Darktrace observed the following pattern of activity within many client networks:

1. User’s device makes an HTTPS connection to Telegram and/or to a Mastodon server

2. User’s device makes an HTTP GET request with an empty User-Agent header, an empty Host header and a target URI consisting of 4 digits to an unusual, external endpoint

3. User’s device makes an HTTP GET request with an empty User-Agent header, an empty Host header and a target URI consisting of 10 digits followed by ‘.zip’ to the unusual, external endpoint

4. User’s device makes an HTTP POST request with an empty User-Agent header, an empty Host header, and the target URI ‘/’ to the unusual, external endpoint 

Figure 1: The above network logs, taken from Darktrace’s Advanced Search interface, show an infected device contacting Telegram and then making a series of HTTP requests to 168.119.167[.]188
Figure 2:  The above network logs, taken from Darktrace’s Advanced Search interface, show an infected device contacting a Mastadon server and then making a series of HTTP requests to 107.189.31[.]171

Each of these activity chains occurred as the result of a user running Vidar Stealer on their device. No common method was used to trick users into running Vidar Stealer on their devices. Rather, a variety of methods, ranging from malspam to cracked software downloads appear to have been used. 

Once running on a user’s device, Vidar Stealer went on to make an HTTPS connection to either Telegram (https://t[.]me/) or a Mastodon server (https://nerdculture[.]de/ or https://ioc[.]exchange/). Telegram and Mastodon are social media platforms on which users can create profiles. Malicious actors are known to create profiles on these platforms and then to embed C2 information within the profiles’ descriptions [2].  In the Vidar cases observed across Darktrace’s client base, it seems that Vidar contacted Telegram and/or Mastodon servers in order to retrieve the IP address of its C2 server from a profile description. Since social media platforms are typically trusted, this ‘Dead Drop’ method of sharing C2 details with malware samples makes it possible for threat actors to regularly update C2 details without the communication of these changes being blocked. 

Figure 3: A screenshot a profile on the Mastodon server, nerdculture[.]de. The profile’s description contains a C2 address 

After retrieving its C2 address from the description of a Telegram or Mastodon profile, Vidar went on to make an HTTP GET request with an empty User-Agent header, an empty Host header and a target URI consisting of 4 digits to its C2 server. The sequences of digits appearing in these URIs are campaign IDs. The C2 server responded to Vidar’s GET request with configuration details that likely informed Vidar’s subsequent data stealing activities. 

After receiving its configuration details, Vidar went on to make a GET request with an empty User-Agent header, an empty Host header and a target URI consisting of 10 digits followed by ‘.zip’ to the C2 server. This request was responded to with a ZIP file containing legitimate, third-party Dynamic Link Libraries such as ‘vcruntime140.dll’. Vidar used these libraries to gain access to sensitive data saved on the infected host. 

Figure 4: The above PCAP provides an example of the configuration details provided by a C2 server in response to Vidar’s first GET request 
Figure 5: Examples of DLLs included within ZIP files downloaded by Vidar samples

After downloading a ZIP file containing third-party DLLs, Vidar made a POST request containing hundreds of kilobytes of data to the C2 endpoint. This POST request likely represented exfiltration of stolen information. 

Darktrace Coverage

After infecting users’ devices, Vidar contacted either Telegram or Mastodon, and then made a series of HTTP requests to its C2 server. The info-stealer’s usage of social media platforms, along with its usage of ZIP files for tool transfer, complicate the detection of its activities. The info-stealer’s HTTP requests to its C2 server, however, caused the following Darktrace DETECT/Network models to breach:

  • Anomalous File / Zip or Gzip from Rare External Location 
  • Anomalous File / Numeric File Download
  • Anomalous Connection / Posting HTTP to IP Without Hostname

These model breaches did not occur due to users’ devices contacting IP addresses known to be associated with Vidar. In fact, at the time that the reported activities occurred, many of the contacted IP addresses had no OSINT associating them with Vidar activity. The cause of these model breaches was in fact the unusualness of the devices’ HTTP activities. When a Vidar-infected device was observed making HTTP requests to a C2 server, Darktrace recognised that this behavior was highly unusual both for the device and for other devices in the network. Darktrace’s recognition of this unusualness caused the model breaches to occur. 

Vidar Stealer infections move incredibly fast, with the time between initial infection and data theft sometimes being less than a minute. In cases where Darktrace’s Autonomous Response technology was active, Darktrace RESPOND/Network was able to autonomously block Vidar’s connections to its C2 server immediately after the first connection was made. 

Figure 6: The Event Log for an infected device, shows that Darktrace RESPOND/Network autonomously intervened 1 second after the device first contacted the C2 server 95.217.245[.]254

結論 

In the latter half of 2022, a particular pattern of activity was prolific across Darktrace’s client base, with the pattern being seen in the networks of customers across a broad range of industry verticals and sizes. Further investigation revealed that this pattern of network activity was the result of Vidar Stealer infection. These infections moved fast and were effective at evading detection due to their usage of social media platforms for information retrieval and their usage of ZIP files for tool transfer. Since the impact of info-stealer activity typically occurs off-network, long after initial infection, insufficient detection of info-stealer activity leaves victims at risk of attackers operating unbeknownst to them and of powerful attack vectors being available to launch broad compromises. 

Despite the evasion attempts made by the operators of Vidar, Darktrace DETECT/Network was able to detect the unusual HTTP activities which inevitably resulted from Vidar infections. When active, Darktrace RESPOND/Network was able to quickly take inhibitive actions against these unusual activities. Given the prevalence of Vidar Stealer [3] and the speed at which Vidar Stealer infections progress, Autonomous Response technology proves to be vital for protecting organizations from info-stealer activity.  

Thanks to the Threat Research Team for its contributions to this blog.

MITRE ATT&CK Mapping

List of IOCs

107.189.31[.]171 - Vidar C2 Endpoint

168.119.167[.]188 – Vidar C2 Endpoint 

77.91.102[.]51 - Vidar C2 Endpoint

116.202.180[.]202 - Vidar C2 Endpoint

79.124.78[.]208 - Vidar C2 Endpoint

159.69.100[.]194 - Vidar C2 Endpoint

195.201.253[.]5 - Vidar C2 Endpoint

135.181.96[.]153 - Vidar C2 Endpoint

88.198.122[.]116 - Vidar C2 Endpoint

135.181.104[.]248 - Vidar C2 Endpoint

159.69.101[.]102 - Vidar C2 Endpoint

45.8.147[.]145 - Vidar C2 Endpoint

159.69.102[.]192 - Vidar C2 Endpoint

193.43.146[.]42 - Vidar C2 Endpoint

159.69.102[.]19 - Vidar C2 Endpoint

185.53.46[.]199 - Vidar C2 Endpoint

116.202.183[.]206 - Vidar C2 Endpoint

95.217.244[.]216 - Vidar C2 Endpoint

78.46.129[.]14 - Vidar C2 Endpoint

116.203.7[.]175 - Vidar C2 Endpoint

45.159.249[.]3 - Vidar C2 Endpoint

159.69.101[.]170 - Vidar C2 Endpoint

116.202.183[.]213 - Vidar C2 Endpoint

116.202.4[.]170 - Vidar C2 Endpoint

185.252.215[.]142 - Vidar C2 Endpoint

45.8.144[.]62 - Vidar C2 Endpoint

74.119.192[.]157 - Vidar C2 Endpoint

78.47.102[.]252 - Vidar C2 Endpoint

212.23.221[.]231 - Vidar C2 Endpoint

167.235.137[.]244 - Vidar C2 Endpoint

88.198.122[.]116 - Vidar C2 Endpoint

5.252.23[.]169 - Vidar C2 Endpoint

45.89.55[.]70 - Vidar C2 Endpoint

References

[1] https://blog.cyble.com/2021/10/26/vidar-stealer-under-the-lens-a-deep-dive-analysis/

[2] https://asec.ahnlab.com/en/44554/

[3] https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers/

More in this series:

該当する項目はありません。

Like this and want more?

Receive the latest blog in your inbox
ありがとうございます!あなたの投稿を受け取りました。
フォームを送信する際に何らかの問題が発生しました。
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Roberto Romeu
Senior SOC Analyst
share this article
USE CASES
該当する項目はありません。
COre coverage
This Article
A Surge of Vidar: Network-based details of a prolific info-stealer
Share
Twitter logoLinkedIn logo

Related Articles

該当する項目はありません。

Good news for your business.
Bad news for the bad guys.

無償トライアルを開始

無償トライアルを開始

柔軟な導入
仮想的にインストールすることも、ハードウェアでインストールすることも可能です。
迅速なインストール
設定時間はわずか1時間、メールセキュリティのトライアルはさらに短時間で完了します。
製品を選ぶ
クラウド、ネットワーク、Eメールなど、最も必要とされる領域で自己学習型AIの能力をお試しください。
購入義務なし
Darktrace Threat Visualizerと組織毎にカスタマイズされた3回の脅威レポートへのフルアクセスを提供しますが、購入の義務はありません。
For more information, please see our Privacy Notice.
ありがとうございます!あなたの投稿を受け取りました。
フォームを送信する際に何らかの問題が発生しました。

デモを見る

柔軟な導入
仮想的にインストールすることも、ハードウェアでインストールすることも可能です。
迅速なインストール
設定時間はわずか1時間、メールセキュリティのトライアルはさらに短時間で完了します。
製品を選ぶ
クラウド、ネットワーク、Eメールなど、最も必要とされる領域で自己学習型AIの能力をお試しください。
購入義務なし
Darktrace Threat Visualizerと組織毎にカスタマイズされた3回の脅威レポートへのフルアクセスを提供しますが、購入の義務はありません。
ありがとうございます!あなたの投稿を受け取りました。
フォームを送信する際に何らかの問題が発生しました。

Check out this article by Darktrace: A Surge of Vidar: Network-based details of a prolific info-stealer