Threat Research

Darth Vidar: Evolution of Threat Infrastructure at Team Cymru

Securonix

Team Cymru analyzes Vidar’s evolving threat infrastructure, highlighting domain shifts, proxy configurations, and anonymization methods (including Tor and Hola VPN) that complicate analysis. The post also covers a two-tier management architecture, payload updates (e.g., Opera Crypto form-grabbing) and broader infrastructure expansion, foreshadowing more campaigns to come. hashtags: #Vidar #TeamCymru #DJVU #OperaCrypto #Tor #HolaVPN #VidarC2

Keypoints

  • Vidar operators are using VPN gateways and Tor to anonymize operator activity, complicating comprehensive threat visibility.
  • Vidar infrastructure is expanding, with expectations of a new wave of customers and campaigns in the near term.
  • Infrastructure is split into two parts: a standard setup for customers and a separate management layer for operators (and potentially premium users).
  • The Vidar website has migrated domains (my-vidar.com to my-odin.com) and uses SSL certificates tied to hosting IPs, indicating ongoing infrastructure migration.
  • The Vidar web portal at /auth/ is used for campaign management and requires credentials plus a Google Authenticator token, suggesting a maintained operator-facing interface.
  • Archive Vida.tar.bz2 contains all Vidar web-server requirements and the payload, with install.sh and other files revealing deployment steps for new campaigns.
  • Proxy configuration (proxy.conf) reveals how C2 access is orchestrated, including a rotating proxy_pass IP and a 403/empty-User-Agent access rule to manage authentication.
  • Vidar payload updates since 2023 include form-grabbing for Opera Crypto, DJVU, and deployment alongside other loaders like IcedID and Redline Stealer, signaling ongoing evolution of capabilities.

MITRE Techniques

  • [T1090.004] Multi-hop Proxy – Vidar uses VPN gateways and Tor to anonymize operators; “Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor.”
  • [T1583] Acquire Infrastructure – Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a new wave of customers and as a result, an increase of campaigns in the upcoming weeks.
  • [T1105] Ingress Tool Transfer – A bash script which is run on the user / customer VPS server to download all the web-server requirements for the set up of a new Vidar campaign.
  • [T1071.001] Web Protocols – The proxy_pass IP is used to route traffic to TCP/80 on 185.173.93.98 (ADMAN-AS, RU), an IP which also receives inbound connections from two further IPs assigned to ‘ProManaged LLC’.
  • [T1566] Phishing – Delivery methodology for Vidar has varied over time, utilizing email / phishing lures and ‘poisoned’ cracked software targeting vendors such as AnyDesk and Windows, the latter leveraging SEO impersonation and YouTube videos to dupe users into downloading the malware.
  • [T1078] Valid Accounts – This path contains the Vidar users (or customers) web portal, where access to a dashboard is provided for the management of payloads related to their campaigns, victim assets, etc.

Indicators of Compromise

  • [Hash] Vidar sample hashes – 13e384c54054a094b8045928c8ec9d3697372e551e4887b4ea9e18e319f0f40b, 89710436ac93f0216ddd9338d76d1dcbf3cfb3991d72ae1a1d310eeb3699c439
  • [IP Address] Vidar main website hosts/management – 186.2.166.15 (my-odin.com)
  • [IP Address] Bofbot platform hosting – 186.2.166.10 (bofbot.com)
  • [IP Address] Proxy Pass (Jan 2023) – 94.231.205.192
  • [IP Address] Proxy Pass (Dec 2023) – 194.99.22.147
  • [IP Address] Rerouted proxy traffic – 185.173.93.98
  • [Domain] Vidar hosting domains – my-odin.com, old.my-vidar.com
  • [URL] Telegram datapack links – https://t.me/tgdatapacks, https://t.me/year2023start
  • [Domain] DJVU payload host – spaceris.com
  • [Domain] Vidar top domain – uaery.top
  • [IP Address] DJVU and related hosting – 175.120.254.9 (spaceris.com)
  • [Domain] Old/new Vidar domains – old.my-vidar.com, new.my-odin.com
  • [File] Vidar archive and scripts – Vida.tar.bz2, install.sh
  • [URL] Other discovery domains – https://t.me/jetbim, https://steamcommunity.com/profiles/76561199469677637

Read more: https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint