Vidar Stealer Picks Up Steam! - Tutorials, Tips & Tricks - Emerging Threats Published: 2023-01-18 · Archived: 2026-04-05 19:25:53 UTC post by ishaughnessy on Jan 18, 2023 Emerging Threats has observed an uptick in Vidar Stealer malware that abuses Steam user profiles to distribute C2 server configuration. Vidar Stealer is an information stealer that is either a fork or related to the Arkei information stealer. According to Checkpoint Vidar has become one of the top ten most prevalent malware families following a series of fake Zoom campaigns. Vidar’s goal is usually to steal sensitive information from infected hosts such as digital wallets and web browser information. When the sample first executes it begins to profile the machine. In one of the first steps it queries api[.]2ip[.]ua to acquire the victim host’s public IP address. The sample then sends a request to a telegram account to retrieve the initial C2 server address. The malware uses the following static user agent for this request. Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0 Example GET Request https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 Page 1 of 7 Telegram C2 Account C2 Format ' hxxp://|' Once the C2 IP address is retrieved the sample performs a check-in and receives instructions on what data should be stolen. C2 Instructions in Response Once the instructions are received, the client will download a .zip containing several benign .dll’s that are used to harvest data from the host. Common names for the archive are: Pack.zip Upgrade.zip update.zip https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 Page 2 of 7 Contents of pack.zip After the resources are downloaded, Vidar creates a .zip containing the stolen data which is then base64 encoded and exfiltrated via a POST request. Exfiltration Traffic https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 Page 3 of 7 Base64 Decoded Traffic Reveals Stolen Firefox History Contents Of Exfiltrated .zip Screen Shot Of The Victim Desktop Is Taken During Execution And Exfiltrated https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 Page 4 of 7 In another sample a steam profile can be seen in the memory during execution. Upon reviewing the profile, there is another C2 address which is used for further exfiltration. Steam Profile With C2 Server Address In Username Additional Checkin And Exfil To C2 Server From Steam Profile Here are a few steam profiles that have been used to host C2 server config. Profile: hxxps://steamcommunity.com/profiles/76561199469016299 C2: hxxp://78.47.225[.]61| Profile: hxxps://steamcommunity.com/profiles/76561199469677637 C2: hxxp://78.47.172[.]233| Profile: hxxps://steamcommunity.com/profiles/76561199443972360 C2: hxxp://78.46.238[.]118| Profile: hxxps://steamcommunity.com/profiles/76561199446766594 C2: hxxp://78.47.233[.]145| Profile: hxxps://steamcommunity.com/profiles/76561199445991535 C2: hxxp://142.132.169[.]161| Profile: hxxps://steamcommunity.com/profiles/76561199441933804 https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 Page 5 of 7 C2: hxxp://142.132.236[.]84| After contacting Steam regarding this C2 distribution method, they’ve concluded that it is important for users to be able to share information via their profile and will not be taking action. As of 2023/01/18 all of the above steam profiles are still active after reporting the accounts for abuse. References Vidar Trojan Analysis, Malware Overview by ANY.RUN September 2022’s Most Wanted Malware: Formbook on Top While Vidar ‘Zooms’ Seven Places - Check Point Blog IOCs ## C2 IP Adresses ## 5.75.182.6 78.47.225.61 78.47.172.233 78.47.233.145 78.46.238.118 91.107.158.249 142.132.169.161 ## Files (MD5) ## 40d5e0f066caa3b5cdb4f97a6adf7bac E8b5ced1c7421ee80a25afe48e816a08 Deb6e2ba0b5da298a176f135d0dbb902 99ba29aa0086b1b1ac838d206b49715c ## Telegram Accounts ## https://t.me/tgdatapacks https://t.me/jetbim ## Steam Profiles ## https://steamcommunity.com/profiles/76561199469016299 https://steamcommunity.com/profiles/76561199469677637 https://steamcommunity.com/profiles/76561199443972360 https://steamcommunity.com/profiles/76561199446766594 https://steamcommunity.com/profiles/76561199445991535 https://steamcommunity.com/profiles/76561199441933804 ET Vidar Signatures https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 Page 6 of 7 ET MALWARE Arkei/Vidar/Mars Stealer Variant - 2036316 ET MALWARE Arkei/Vidar/Mars Stealer Variant CnC checkin commands - 2038523 ET MALWARE Arkei/Vidar/Mars Stealer Variant Data Exfiltration Attempt - 2038525 ET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request - 2038524 ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI - 2035873 ET MALWARE Possible Vidar Stealer C2 Config In Steam Profile - 2043334 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil - 2029236 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern - 2034813 ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved - 2035911 ET MALWARE Vidar/Arkei Stealer Client Data Upload - 2025431 ET MALWARE Vidar Stealer CnC Domain in DNS Lookup - 2035872 ET MALWARE Vidar Stealer - FaceIt Checkin Response - 2033066 ET MALWARE Vidar Stealer IP Address in DNS Query Response - 2043248 ET MALWARE Vidar Stealer Payload Delivery Domain (audacitya .org) in DNS Lookup - 2040140 ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET) - 2036667 ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil - 2033163 ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download - 2036654 ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC Response - 2853039 ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed - 2853038 ETPRO MALWARE Arkei/Vidar Stealer Variant - Telegram Mirror Checkin - 2851826 ETPRO MALWARE Vidar/Arkei/Oski Variant Stealer POSTing Data to CnC - 2842708 ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Retrieving Payload - 2841407 ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information - 2841237 ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information M2 - 2841406 post by ishaughnessy on Jan 12, 2024 Source: https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 Page 7 of 7