Weekly Threat Intelligence Report
Date: June 24, 2024
Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS
Malware developers will use all sorts of techniques to obfuscate their C2 location and keep security analysts from being able to understand the operation of their malware. One common technique is to have the malware communicate with a popular online service, such as Pastebin, where the malware will contact a URL that responds with the IP address of the C2 server. This type of design keeps the C2 address out of the malware, and allows the C2 operator to change or remove the C2 destination as needed. If the right service is chosen, then this request might go unnoticed because it’s seen as regular traffic.
We detonated a malware sample on Windows 7 that was identified as containing both StealC and Vidar, and we found the same technique being used on the gaming platform, Steam. In this case, the malware requests the page of a specific user account. The steam user account name contains the IP address of a component of the C2 infrastructure. Steam even shows a history of the username, so we can see previous IPs that have existed in this field.
Steam is an interesting choice as a vector for retrieving a C2 destination because it’s a gaming platform that isn’t typically used on corporate infrastructure, except perhaps in gaming companies. It is commonly used in residential communications however. A more traditional choice would be a service that is typically seen within an organization’s network traffic, like a Microsoft service.
Although a direct relationship has not been confirmed, Vidar is a stealer known to be used by Scattered Spider, aka UNC3944. They are a criminal organization responsible for many high profile victims, including MGM Grand,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: