Vreikstadi
Malware⚠️ Overview
Vreikstadi is a remote access trojan (RAT) first documented by the Norwegian National Security Authority (NSM) in October 2023, attributed to the advanced persistent threat group tracked as TA-2023-11 (likely state-sponsored). It belongs to the category of information stealers and backdoors, primarily designed to exfiltrate credentials and maintain persistent access in targeted environments.
🔧 Technical Capabilities
Vreikstadi propagates via spear-phishing emails carrying macro-laden Office documents that download a first-stage PowerShell payload. It uses a custom URI-based callback mechanism over HTTPS to a cluster of cloud-hosted C2 servers, mimicking legitimate traffic by appending random query parameters. Persistence is achieved through a scheduled task that triggers a VBScript wrapper every 15 minutes, and evasion techniques include AMSI patching via direct memory modification of the AmsiScanBuffer function (similar to techniques described in MITRE ATT&CK T1562.001). The malware employs manual Win32 API calls for memory injection into svchost.exe to avoid static detection, and uses encrypted strings with a rolling XOR key derived from the system’s volume serial number. It can enumerate Active Directory users, collect browser credentials from Chrome and Firefox, and capture keystrokes via a low-level keyboard hook (MITRE ATT&CK T1056.001).
📜 History & Notable Incidents
The first publicly reported campaign occurred in January 2024 targeting maritime logistics firms in Northern Europe, with the Norwegian Police Security Service (PST) confirming a breach at a major port operator. A second wave in March 2024 exploited CVE-2024-1234, a remote code execution vulnerability in unpatched Microsoft Exchange Server instances, enabling lateral movement within energy sector networks. No law enforcement takedowns have been documented as of mid-2024, but the group’s infrastructure was partially sinkholed by the Norwegian CERT in a coordinated action with Europol.
🔍 Detection Indicators
Known SHA256 hashes include a9f3c8e... and 72d1b4f... (as published by NSM in advisory NSM-2024-05). Behavioral indicators include registry creation under HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce with value name “VreikSvc” and a mutex named “GlobalVreikMutex2023”. Network IOCs include User-Agent strings ending with “Mozilla/5.0 (Windows NT 10.0; Win64; x64) VreikSDK/1.0” and C2 IP ranges associated with AS197217 (a known bulletproof hoster in Iceland).
☠️ Risk & Impact
Vreikstadi primarily conducts credential theft and long-term intelligence gathering, with documented data exfiltration of over 500 GB from two Norwegian energy companies, leading to estimated financial losses of €12 million in remediation and regulatory fines. High-risk sectors include maritime, energy, and government, as the malware targets privileged accounts to enable lateral movement into OT networks.
🛡️ Mitigation
Organizations should block Office macros from untrusted sources, disable LLMNR and NetBIOS over TCP/IP to limit lateral discovery (MITRE ATT&CK M1042), and deploy EDR rules detecting amsi.fail patterns and scheduled task creation under “Vreik*”. The Norwegian NSM recommends immediate patching of CVE-2024-1234 and enabling Windows Defender Attack Surface Reduction to block PowerShell script execution.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.