A few days back the commercial off-the-shelf malware BitRat was observed with a new distribution methodology. Now, another information stealer malware named Vidar Stealer has surfaced with advanced techniques to exploit popular Social Media (SM) platforms as an intermediary C2 server.
Tactics of hiding behind SM platforms
AhnLab researchers disclosed that Vidar Stealer is continuously creating throwaway accounts on popular SM such as TikTok, Telegram, Steam, and Mastodon.
Attackers create a new profile on these social media platforms and write some identifying characters and the C2 address on the profile page.
One advantage of this tactic is that such traffic is really difficult to identify and block using trivial security solutions.
In case the C2 server is blocked or taken down, attackers can set up a new server and edit the account pages to allow the previously distributed malware to communicate with the server.
The experts found an attacker-controlled account on the Ultimate Guitar platform and detailed its working.
When malware is executed from any infected system, multiple strings are decrypted and multiple garbage codes are passed as arguments, which execute string-modifying functions.
It checks for the computer name and username to see if it is a Windows Defender Emulator, and upon detection, the malware stops functioning and shuts down.
When proceeding further, the malware connects to the threat actor’s account page to download the C2 address that is hard-coded in the binary.
The latest malware variant (v 56.1) collects data and compresses it into a ZIP file, encoded in Base64 prior to exfiltration to the C2 server.
Contrasts with previous tactics
First identified in 2018, Vidar Stealer is known for using delivery mechanisms such as phishing emails and cracked software for propagation.
The previous malware variants collected and sent the information as compressed file data in plaintext format.
However, in recent campaigns, it was being distributed using a variety of methods, including malicious Google Ads and a malware loader dubbed Bumblebee.
Additionally, experts discovered an ad for the GIMP open-source image editor that, when clicked from the Google search result, redirected the victim to a typo-squatted domain hosting the malware.
The abuse of top platforms as the intermediary C2 gives a longer lifespan to malware like Vidar Stealer. Experts assess that the malware is just one among several that is updating its delivery methods, possibly due to Microsoft's decision to block macros by default in Office files. Therefore, more malware are expected to take this route in the future.