ThreatFox: Vidar IOCs

Hunt Hypothesis

The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators to identify compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage Vidar for data exfiltration and persistence.

IOC Summary

Malware Family: Vidar Total IOCs: 12 IOC Types: ip:port, url, domain

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["62.238.11.129", "178.105.113.226"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["62.238.11.129", "178.105.113.226"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["ori.fazvende.com.br", "ori.tristans-tea.com", "spl.fazvende.com.br", "spl.tristans-tea.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://ori.fazvende.com.br/", "https://ori.tristans-tea.com/", "https://62.238.11.129/", "https://178.105.113.226/", "https://spl.fazvende.com.br/", "https://spl.tristans-tea.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

References

• ThreatFox — Vidar

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that matches one of the Vidar IOCs (e.g., a PowerShell script used for system cleanup).
  Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "task scheduler"

• Scenario: Admin Using PowerShell for Log Analysis
  Description: An admin uses PowerShell to analyze logs, and the script includes a command that matches a Vidar IOC (e.g., Invoke-Command with a suspicious parameter).
  Filter/Exclusion: process.name != "powershell.exe" or user.name != "admin_user"

• Scenario: Antivirus Quarantine Process
  Description: The system is quarantining a file that matches a Vidar IOC, as part of a legitimate antivirus cleanup process.
  Filter/Exclusion: process.name != "avastui.exe" or process.name != "mcafee.exe"

• Scenario: CI/CD Pipeline Artifact Download
  Description: A CI/CD tool (e.g., Jenkins, GitLab CI) downloads a build artifact from a repository that matches a Vidar IOC due to a naming conflict.
  Filter/Exclusion: process.name != "jenkins.exe" or process.name != "gitlab-runner.exe"

• Scenario: Database Backup Script Execution
  Description: A database backup script (e.g., using sqlcmd or mysqldump) includes a command that matches a Vidar IOC due to a misconfigured script.
  Filter/Exclusion: process.name != "sqlcmd.exe" or process.name != "mysqldump.exe"