Keypoints
- Attackers compromise popular YouTube accounts and add download links in video descriptions or comments to distribute infostealer malware.
- Malicious payloads are hosted on file‑sharing services (e.g., MediaFire) inside password‑protected archives to evade security detection.
- Vidar distribution uses a benign‑looking executable that loads a patched msedge_elf.dll, which decrypts berley.asp and complot.ppt for shellcode and payload execution.
- Some distributors inflate file size (e.g., ~800 MB) with patterned padding to bypass detection; compressed payloads are significantly smaller after unpacking.
- Vidar uses Telegram and Steam Community profiles for C2 configuration; multiple IPs and fake shop domains are used as LummaC2 C2 endpoints.
- LummaC2 commonly appears as cracked commercial software installers and steals browser, email, FTP credentials, screenshots, and cryptocurrency wallet files.
- Shared C2 infrastructure and overlapping indicators suggest the same actors may operate multiple distribution campaigns.
MITRE Techniques
- [T1566.002] Spearphishing Link – Attackers place malicious download links in video descriptions/comments. (‘YouTube can attach malware download links not only to videos but also to descriptions and comments.’)
- [T1566.001] Spearphishing Attachment – Malware distributed as downloadable installers and archives masquerading as cracks or keygens. (‘malicious codes disguised as installation files’)
- [T1027] Obfuscated Files or Information – Payloads are delivered inside password‑protected compressed files to avoid detection. (‘password-protected compressed files’)
- [T1071] Application Layer Protocol – Vidar uses Telegram and Steam Community channels for C2 communication. (‘Vidar utilizes Telegram and Steam Community for communication with the C&C server.’)
- [T1552.001] Credentials from Web Browsers – Infostealers harvest stored credentials from browsers, email clients, and FTP clients. (‘steals account information from web browsers, emails, and FTP clients’)
- [T1547.001] Boot or Logon Autostart Execution – Malware may establish persistence by adding registry run keys or startup entries. (‘may establish persistence by adding entries to registry run keys or startup folders.’)
- [T1059] Command and Scripting Interpreter – Malware may execute payloads via scripting interpreters (e.g., PowerShell, WScript). (‘may use scripting interpreters like PowerShell or WScript to execute malicious payloads.’)
- [T1082] System Information Discovery – Infostealers collect system information to assess value and tailor exfiltration. (‘may gather system information to tailor their attacks or assess the value of the compromised system.’)
- [T1056] Input Capture – Malware can capture keystrokes or clipboard data for credential theft. (‘may capture user input, such as keystrokes or clipboard data, to steal sensitive information.’)
Indicators of Compromise
- [File Hash – MD5] Vidar and LummaC2 sample hashes – af273f24b4417dce302cf1923fb56c71 (Vidar loader msedge_elf.dll), 2414085b0a5bf49d9658f893c74cf15e (LummaC2 Adobe_Activator.exe), and 4 more hashes.
- [Filenames] Installation/distribution artifacts – Setup.exe / msedge_elf.dll (Vidar loader), berley.asp / complot.ppt (decoded shellcode/payload), Adobe_Activator.exe (LummaC2).
- [C2 URLs/domains] Command-and-control endpoints – hxxps://steamcommunity[.]com/profiles/76561199658817715 (Vidar), hxxps://t[.]me/sa9ok (Vidar), and multiple *.shop/api domains used by LummaC2.
- [IP Addresses] Direct C2 IPs – 78.47.221[.]177 (Vidar), 95.216.176[.]246:5432 (Vidar).
- [Hosting service] File hosting context – MediaFire-hosted password-protected archives used to deliver the malicious installers.
The attackers compromise established YouTube channels and replace or augment video descriptions/comments with links to password‑protected archives hosted on file‑sharing sites (notably MediaFire). These archives contain installer‑named executables; some campaigns intentionally inflate file sizes with patterned padding to evade detection, with the compressed payloads being much smaller when unpacked.
In Vidar cases, the user‑facing installer runs a benign process that loads a patched msedge_elf.dll; that DLL unpacks and decrypts files such as berley.asp and complot.ppt which are used as shellcode and payload. Vidar profiles embed C2 addresses and communicate via Telegram channels and Steam Community profiles, and also connect to direct IPs. LummaC2 samples are distributed as standalone malicious installers (e.g., Adobe_Activator.exe, Update-setup.exe) and perform typical infostealer actions: harvesting browser/email/FTP credentials, screenshots, and wallet files.
Shared C2 addresses and overlapping techniques (password‑protected archives, installer masquerading, C2 via legitimate services) indicate likely common actor activity across multiple distributions; identified IOCs include specific MD5 hashes, filenames, Steam and Telegram C2 endpoints, several IPs, and numerous fake shop API domains.
Read more: https://asec.ahnlab.com/ko/63697/