Two sentences summarizing the content here. EclecticIQ links a spearphishing campaign against Poland’s healthcare sector to Vidar Infostealer, with overlaps to Djvu and LockBit 2.0 ransomware activity, and describes how Vidar collects sensitive data and exfiltrates it via C2 channels (Telegram/Steam). The report also details the infection chain via an Excel XLL add-in, the use of packing and XOR decryption to conceal the payload, and practical mitigations for defense. #VidarInfostealer #DjvuRansomware #LockBit2 #NFZ #Poznan #XLL
Keypoints
- Explains a spearphishing campaign targeting a Polish hospital, delivering Vidar Infostealer via a malicious Excel XLL attachment.
- Describes the infection chain and payload delivery, including downloading Vidar and a decoy Excel file from app4j.org.
- Details Vidar’s capabilities (credential theft, browser data, 2FA codes) and its evasion techniques (packing, XOR, anti-debug/anti-emulation).
- Shows Vidar’s exfiltration and C2 communications, including a Telegram channel and other IPs/domains used for command and control.
- Notes overlaps with Djvu and LockBit 2.0 ransomware operations, suggesting a ransomware-affiliated actor or group behind the campaign.
- Offers mitigations: email authentication, anti-phishing filters, security awareness training, least-privilege access, backups, and MFA.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – ‘The infection chain starts with an email containing a Microsoft Excel XLL attachment. The email is addressed to [email protected] – the Provincial hospital in Poznań.’
- [T1204] User Execution: Malicious File – ‘If the attachment is opened, it will start downloading Vidar infostealer malware along with a decoy Excel sheet from app4j.org.’
- [T1137.006] Office Application Startup: Add-ins – ‘The AutoOpen function downloads two files: A ZIP file (the Vidar infostealer) and a decoy Excel file (XLSX).’
- [T1105] Ingress Tool Transfer – ‘The AutoOpen function downloads two files: A ZIP file (the Vidar infostealer) and a decoy Excel file (XLSX). After downloading, it starts to unzip Vidar and waits for 1.5 seconds before execution.’
- [T1027.009] Obfuscated Files or Information: Embedded Payloads – ‘The XOR decryption routine uses the first 24 bytes of the string from data section (RSRC / RT_RCDATA) “ANu$_Joe_B1den@798576564” as an XOR key to decrypt the final payload from RSRC.’
- [T1497] Virtualization/Sandbox Evasion – ‘Packing and XOR encryption routines… anti-debugging and anti-emulation techniques.’
- [T1057] Process Discovery – ‘Process tree shows the spawned Vidar as DATE2023.exe inside Excel.’
- [T1041] Exfiltration Over C2 Channel – ‘Stolen victim data is exfiltrated to multiple C2 servers controlled by the threat actor.’
- [T1071.001] Web Protocols – ‘Vidar starts sending GET requests to legitimate web servers like Telegram and Steam to get up to date C2 IP addresses.’
Indicators of Compromise
- [IP Address] – C2 endpoints observed in campaign: 135.181.87.234, 78.47.226.24, and 116.202.183.154
- [Domain/URL] – Command and control and drop domains: app4j.org, steamcommunity.com/profiles/76561199486572327
- [URL] – Telegram-based C2 channel: t.me/zaskullz
- [File Name] – Date2023.exe (Vidar dropper)
- [File Name] – FileTest.zip (Vidar packaged)
- [File Name] – Excel.xlsx (decoy)
- [File Hash] – 0f9677642599cf23aafe225ee2dbe403f305dc5801298b83ba19f6b939a8f914
- [File Hash] – 9916a835c20ea3eb75657f34eeb0fa152e72b374954bea087445d7e383e68455
- [File Hash] – 2b2f16c0535f90f325e46946ee695e830296e5eb18032db7233921bea65fb599