Threat Research

Darth Vidar: Aesir Strikes Back | Team Cymru Tech

Securonix

Vidar threat actors continue evolving their backend infrastructure, rotating IPs and increasingly anonymizing management activity with VPNs and Tor, while centralizing control on my-odin.com for affiliates. The update traces ongoing infrastructure changes through 2023, including GRE tunneling and connections to recruitment and coordination platforms. #Vidar #my-odin

Keypoints

  • Vidar threat actors rotate their backend IP infrastructure, favoring providers in Moldova and Russia.
  • Evidence shows actors anonymizing activity using public VPN services and Tor relays to hide in general Internet noise.
  • The Vidar operation appears split into two components: one for regular customers and another for management/high-priority users.
  • The domain my-odin[.]com is the primary location for affiliate authentication, file sharing, and panel administration; unauthenticated downloads redirect to the affiliate login page.
  • RDP-based management shifted to new IPs (e.g., 5.252.176.49) with VPN relays (ProtonVPN), indicating efforts to conceal administration activity.
  • Outbound connections to blonk[.]co and other infrastructure details (e.g., 185.173.93.98 as a conduit) suggest multi-faceted coordination, including potential victim targeting or affiliate recruitment.
  • GRE tunneling observed between Vidar infrastructure and proxy_pass components, highlighting a more complex C2/contact path.

MITRE Techniques

  • [T1021.001] Remote Services – RDP used to manage infrastructure. ‘The primary IP address (the ‘Managing IP’ in Figure 1) used to manage 5.252.176.49 was accessed via ‘new’ peers, utilizing the Remote Desktop Protocol (RDP). As far as we can tell, this server was previously accessed directly.’
  • [T1090] Proxy – VPN/Tor anonymization to hide activity. ‘By using VPN infrastructure, which in at least part was also utilized by numerous other benign users, it is apparent that the Vidar threat actors may be taking steps to anonymize their management activities by hiding in general Internet noise.’
  • [T1572] Protocol Tunneling – GRE tunneling used for C2 routing. ‘GRE tunnelling activity with 5.252.176.49.’
  • [T1071.001] Web Protocols – Web-domain based management/communication. ‘Since August 2022, Vidar threat actors have utilized the domain my-odin[.]com as the primary location for managing various elements of their operation, including affiliate authentication, file sharing, and panel administration.’
  • [T1059.004] Unix Shell – Bash script used in campaign setup. ‘the bash script responsible for installing the necessary components for a new Vidar campaign.’

Indicators of Compromise

  • [IP Address] Vidar infrastructure IPs – 186.2.166.15, 5.252.179.201, and 3 more items (5.252.176.49, 185.173.93.98, 185.229.64.137)
  • [Domain] Vidar domains – my-odin[.]com, blonk[.]co

Read more: https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint