StealC and Vidar malware campaign identified

Weekly Threat Intelligence Report

Date: June 24, 2024

Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS

Malware developers will use all kinds of techniques to hide their C2 location and prevent security analysts from understanding how their malware works. A common technique is to have the malware communicate with a popular online service, such as Pastebin, where the malware will contact a URL that responds with the C2 server's IP address. This type of design keeps the C2 address out of the malware and allows the C2 operator to modify or remove the C2 destination as needed. If the right service is chosen, this request may go unnoticed as it is considered regular traffic.

We detonated a malware sample on Windows 7 that was identified as containing both StealC and Vidar, and found the same technique used on the Steam gaming platform. In this case, the malware requests the page of a specific user account. The Steam user account name contains the IP address of a component of the C2 infrastructure. Steam even shows a history of the username, so we can see previous IP addresses that have existed in that domain.

Steam is an interesting choice as a recovery vehicle for a C2 destination because it is a gaming platform that is not typically used on enterprise infrastructures, except perhaps at gaming companies. It is, however, commonly used in residential communications. A more traditional choice would be a service typically visible in an organization's network traffic, such as a Microsoft service.

Although a direct relationship has not been confirmed, Vidar is a thief known to be used by Scattered Spider, aka UNC3944. This is a criminal organization responsible for numerous high-profile victims, including MGM Grand, Caesars, Snowflake, LastPass, Apple, Walmart, and Zendesk. Recently, the leader of the organization was arrested by the FBI, but their operations continue.

Learn more about the
HYAS Insight threat intelligence solution.

Information about malware samples

MD5: 8cfe70cf4f35c7f9b4ddba327d44c1f8
https://tria.ge/240617-fvryqazelj/behavioral1
https://steamcommunity.com/profiles/76561199699680841

(Image: Malicious use of a Steam profile containing the C2 location)

65.109.240.138 (At the moment offline)

ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940

65.109.243.78 (At the moment offline)

ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940

95.216.142.162

ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940

With this address, we can see that there is a single open port, 443, which has a banner containing a recent timestamp. We can try to move away from this potentially unique banner by using free accounts with Shodan or Censys.

With Censys, we can take this banner in hexadecimal (to avoid formatting issues) and create a custom search query to search for matches on this ASN.

Censys query:
(services.banner_hex=”485454502f312e3120333032204d6f7665642054656d706f726172696c790d0a5365727665723a206e67696e780d0a446174653a20203c5 2454441435445443e0d0a436f6e74656e742d547970653a20746578742f68 746d6c0d0a436f6e74656e742d4c656e6774683a203133380d0a436f6e6e65 and autonomous_system.name=`HETZNER-AS`

Link to research above.

From our search, we obtain a list of sixteen IP addresses on this ASN that have the same service banner and are mostly, if not entirely, Vidar C2.

CIO Vidar C2:
95.216.165.53
116.203.13.231
195.201.47.189
116.203.166.11
116.203.167.34
116.203.4.20
49.13.32.109
162.55.53.18
195.201.248.182
95.216.142.162
95.216.182.224
78.47.205.62
116.203.13.42
116.203.13.51
195.201.46.4

This same malware also contacted Telegram, which uses a similar technique to host a different address.

https://t.me/memve4erin
https://tria.ge/240617-fvryqazelj/behavioral2

162.55.53.18:9000
ISP:Hetzner Online GmbH
Identification number: AS24940
Country: Germany

5.42.67.8
ISP: LetHost LLC
Location: Russia
ASN: AS210352

In our detonation, after Telegram was contacted, another IP address was contacted, which may come from a previous entry in the Telegram field (unconfirmed, no historical records for this field). HYAS Insight, our threat intelligence solution, was able to provide recent information on C2 usage on this server. However, this login screen is for Risepro malware. It is therefore possible that several actors or campaigns use this same server. It is not uncommon for a malicious server to be used in this way.

Date: 06/15/2024 19:48:21 UTC (most recent data)
C2 admin URL: http://5.42.67.8:8081/
Actor IP: 109.95.78.5
Geo: 55.434553 36.696945
Device User Agent: Mozilla/5.0 (Linux; Android 14; 23021RAA2Y Build/UKQ1.230917.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/125.0.6422.165 Mobile Safari/537.36

(Image: Risepro C2 login screen hosted on the server)

(Image: actor who connected to the GPS location of the C2 server, southwest of Moscow)

Want to see some malware explode? Check out our
on-demand webinar.

Want more threat news every week?
Follow HYAS on LinkedIn
Follow HYAS on

Read previous reports:
Tracking an Active Remcos Malware Campaign

Revealing LOTL Techniques Used by Active Remcos Malware Campaign

Agent Tesla Unmasked: Revelation of Interrelated Cyber ​​Campaigns

Risepro Anti-Malware Campaign on the Rise

Sign up for the free Intel HYAS Insight feed

Learn more about HYAS Insight

An effective and timely investigation is the best way to protect your business. HYAS Insight gives threat and fraud response teams unparalleled visibility into everything you need to know about the attack, including the origin, the current infrastructure used, and any infrastructure.

Learn how the HYAS Threat Intelligence team discovered and mitigated a Russia-based cyberattack targeting financial organizations around the world.

More from HYAS Labs

Polymorphic malware is no longer theoretical: BlackMamba PoC.

Polymorphic, intelligent and fully autonomous malware: EyeSpy PoC.

Five Proven Techniques for Optimizing Threat Intelligence

Leverage ASNs and Pivot to Uncover Malware Campaigns

Disclaimer: This threat intelligence report is provided “as is” and for informational purposes only. HYAS disclaims any warranties, express or implied, regarding the completeness, accuracy or reliability of the report. You are solely responsible for exercising your own due diligence when accessing and using the information in this report. The analyzes expressed in this report reflect our current understanding of the information available based on our independent research using the HYAS Insight platform. The inclusion in the report of companies, organizations or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the report as additional information becomes available to us.

***This is a Security Bloggers Network syndicated blog from HYAS Blog – 2024 written by David Brunsdon. Read the original post at: https://www.hyas.com/blog/stealc-and-vidar-malware-campaign-identified