Vidar emerged in 2018 as a copycat of Arkei and has spawned Oski Stealer and Mars Stealer variants. The diary traces how these families rely on legitimate DLLs hosted on their C2 servers and exfiltrate data as zip archives via HTTP POST. #Vidar #OskiStealer #MarsStealer #Arkei #Hancitor #Qakbot #Emotet
Keypoints
- Vidar appeared in 2018 as a copycat of Arkei malware and has led to two additional variants, Oski Stealer and Mars Stealer.
- Vidar infections retrieve legitimate DLLs hosted on the same C2 server used for data exfiltration (not malicious files themselves).
- The legitimate DLLs involved include freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, and vcruntime140.dll (and sqlite3.dll for Oski/Mars).
- Oski Stealer retrieves each DLL separately, but does not use the same file-name URLs as Vidar.
- Mars Stealer retrieves DLLs as a single zip archive, illustrating a shift in its delivery/packaging approach.
- All three malware families exfiltrate data by posting a zip archive to their C2 servers via HTTP POST; the exfiltration patterns evolve across variants.
- Indicators of compromise include C2 domains/IPs such as dersed[.]com, 2.56.57[.]108, and sughicent[.]com, used with corresponding IPs in specific campaigns; Mars has been linked to Hancitor as a follow-up delivery.
MITRE Techniques
- [T1105] Ingress Tool Transfer β The initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration. βDuring Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration.β
- [T1560.001] Archive Collected Data β Current samples of Mars Stealer β¦ retrieve legitimate DLL files as a single zip archive. βCurrent samples of Mars Stealer (like this one) retrieve legitimate DLL files as a single zip archive.β
- [T1041] Exfiltration Over C2 Channel β All three types of malware send a zip archive containing data stolen from the infected Windows host; βThe images illustrate the HTTP POST requests that send stolen data to their C2 servers.β
Indicators of Compromise
- [IP] 104.200.67[.]209 β Vidar C2 in September 2019 (port 80)
- [IP] 2.56.57[.]108 β Oski Stealer C2 in January 2022 (port 80)
- [IP] 5.63.155[.]126 β Mars Stealer C2 in March 2022 (port 80)
- [Domain] dersed[.]com β Vidar C2 in September 2019
- [Domain] sughicent[.]com β Mars Stealer C2 in March 2022