Identifying Vidar Infrastructure using Shodan

Cyber Team
4 min readJan 18, 2024

--

Refer to my previous tweets where I have shared Vidar C2’s and its associated search queries.

Tweet 1 & Tweet 2

In this write-up, we will analyze known Vidar C2’s and try to build the query to find additional Vidar infrastructure using the Shodan.

I am using the following 02 Vidar C2’s (from my tweets) for analysis.
i) 65.109.240.203
ii) 168.119.106.20

1. Analysis in Shodan

Initially, we can perform scanning these 02 IPs in Shodan to view data available with the search engine.

Fig-1: Shodan info for 168.119.106.20

Similarly, scanning another Vidar C2 viz. 65.109.240.203 provides the following information.

Fig-2: Shodan info for 65.109.240.203

2. Identifying Pivot Points

After analyzing the above hosts, the following pivot points are identified:
➢ SSL certificate JARM & JA3S fingerprints
➢ HTTP response: Headers hash & HTML hash
➢ Self-signed certificate (tag: self-signed)
➢ SSL certificate subject CN: contains the <IP-Address> itself.
➢ Organization & ASN: Hetzner Online GmbH (AS24940)

3. Finding Infra Using Identified Pivot Points

Now, we will utilize these identified pivot points and try to build the Shodan query to identify additional infrastructure of Vidar.

a) First pivot point: JARM fingerprint

Shodan Query:
ssl.jarm:”21d19d00021d21d00021d19d21d21d43557f863337159163ca547c5ea19523"

Upon searching JARM fingerprint in Shodan, it generated 5422 results as follows:

Fig-3 Pivot 1 — JARM fingerprint

b) Second pivot point: HTTP response

To narrow down the results, we can make use of the second pivot i.e. HTTP response. As shown in fig-1 & fig-2, the http response is stored into the “httpdata field along with its associated HTML hash & Headers hash. We can use either of the two hashes for refining our search query. So, I am using the HTML hash.

The Shodan query after applying the second pivot would look like:
ssl.jarm:”21d19d00021d21d00021d19d21d21d43557f863337159163ca547c5ea19523" http.html_hash:1765360226

Fig-4 Pivot 2 — HTML Hash

After applying the second pivot, the results are largely narrowed down. To further narrow down results, we can utilize the remaining pivot points.

If you recall from the fig-1 & fig-2, the hosts are using self-signed SSL certificate and are categorized by Shodan under the tag ‘self-signed’.

Note: Since “tag” and “vuln” are available only to business & enterprise users, not all researchers (including myself) may not have the premium subscription.

So, we have to look into other pivots to refine our search query.

c) Third pivot point: Organization name / ASN

Usually, pivot points like ISP/Org/ASN is not recommended to use at first resort. However, if we cannot find any other useful pivot points to further refine our search query then we can use ISP/Org/ASN.

The query after applying third pivot (organization) for refining results would look like:

ssl.jarm:”21d19d00021d21d00021d19d21d21d43557f863337159163ca547c5ea19523" http.html_hash:1765360226 org:”Hetzner Online GmbH”

At this point, the search generated 33 results as shown below:

Fig-4 Pivot 3 — Organization

d) Fourth and last pivot point: subject CN

The last remaining pivot is that the hosts contain SSL cert subject CN (common name) as <IP-ADDRESS> itself as highlighted in fig-1 & fig-2.

I have referred the Shodan documentation and tried multiple combinations of search queries but I was not able to find any such query which is used to filter hosts having subject CN as <IP-ADDRESS>.

Though, you cannot directly filter results using the search query, you can utilize the Shodan “facet” feature to view all hosts that are having IP-ADDRESS in their SSL cert subject CN. You can achieve this by visiting the following Shodan URL (add ‘facet’ to the URL as shown below):

Fig-4 Pivot 4 — Subject CN

We have to filter out from the results that contain domain names in their SSL cert subject CN as highlighted in above screenshot.

Finally, we could able to identify all hosts related to Vidar infrastructure. Copy all these IP addresses and export it to a file. It is recommended to block these C2’s in your environment.

You can also verify these C2’s in open source reputation services like Virus Total.

The following lists Virus Total (VT) detection for the Vidar C2’s as on 16/01/2024:

116.202.177.141 — — 02 VT detection
116.203.123.207 — — 11 VT detection
128.140.111.217 — — 07 VT detection
128.140.5.127 — — 06 VT detection
142.132.232.235 — — 08 VT detection
168.119.106.20 — — 10 VT detection
168.119.58.175 — — 10 VT detection
195.201.255.210 — — 08 VT detection
5.75.178.5 — — 08 VT detection
5.75.211.95 — — 07 VT detection
5.75.215.64 — — 10 VT detection
5.75.220.180 — — 09 VT detection
65.109.240.203 — — 00 VT detection
65.109.242.109 — — 08 VT detection
65.21.188.123 — — 05 VT detection
78.46.250.172 — — 03 VT detection
95.216.149.92 — — 06 VT detection

Thanks

--

--

Cyber Team
Cyber Team

No responses yet