HYAS details how StealC and Vidar malware disguise their C2 infrastructure by leveraging popular online services to fetch or hide C2 addresses, notably using Pastebin and Steam. The campaign targets the Steam platform, with C2 information embedded in user-facing pages and profiles to evade detection. Hashtags: #StealC #Vidar
Keypoints
- Malware developers frequently use popular online services like Pastebin to conceal C2 server addresses and enable easy changes or removals.
- A StealC/Vidar sample on Windows 7 demonstrated the same technique being used on the Steam gaming platform.
- The Steam approach involves the malware requesting a specific user’s page, where the username field can contain the C2 component’s IP address.
- Steam is highlighted as a less typical organizational vector for C2 traffic, offering residential-like traffic patterns compared to traditional enterprise services.
- Vidar is connected to UNC3944/Scattered Spider, a criminal group with multiple high-profile victims; the group’s leadership was recently arrested, yet operations continue.
- IoCs include MD5 hashes, multiple IPs (notably Hetzner ASN addresses), and a Telegram contact used for related C2 activity.
MITRE Techniques
- [T1102] Web Service – Malware uses online services to receive C2 IPs; e.g., “the malware will contact a URL that responds with the IP address of the C2 server.”
- [T1102] Web Service – Steam-based C2 channel where “the steam user account name contains the IP address of a component of the C2 infrastructure.”
Indicators of Compromise
- [MD5] 8cfe70cf4f35c7f9b4ddba327d44c1f8 – Malware sample identifier mentioned in the report.
- [Domain] pastebin.com – Used as a C2/Auxiliary communication channel.
- [Domain] store.steampowered.com/about – Steam domain involved in facilitating or displaying C2-related data.
- [Domain] t.me/memve4erin – Telegram-based contact used in related C2 activity.
- [IP] 65.109.240.138, 95.216.142.162, and 15 more addresses (Hetzner ASN, Vidar C2) – C2-related infrastructure observed.
Read more: https://securityboulevard.com/2024/06/stealc-vidar-malware-campaign-identified