A deadly mix of GandCrab ransomware and Vidar data-stealing malware is proliferated with the help of new malvertising campaign spotted by security researchers
Security experts at Malwarebytes Labs published a report about a new malvertising string that works in an elaborate scheme to make use of Fallout, and GrandSoft exploit kits to infect users' computers with data-stealing trojan Vidar. Soon after the malware is established, it is capable of stealing a variety of sensitive data, including all web browsing history, cryptocurrency wallets, messaging content or various credentials.
While the victim can hardly notice the first payload, the secondary one, GandCrab, can be seen shortly after the Vidar's infection takes place. The crypto malware encrypts personal files and demands a ransom to be paid for the decryptor.
Malicious actors made use of Torrent and video streaming websites in order to redirect visitors to the exploit kit (Fallout is being accounted for 70% of the occurrences) based on their geographical location.
The new campaign allows hackers not only to receive the profits the ransom payments but also from harvested data that can be sold on the dark web.
Vidar – a copycat of Arkei data stealer
Initially, security researchers thought that the data-stealing malware was an already known Arkei. However, upon closer inspection, they realized that the virus is actually a new variation of the latter called Vidar, as reported by security analyst Fumik0:
<…> Some strings linked to Arkei signature was deleted and a new one appeared with the string “Vidar”, there are also some other tweaks in the in-depth analysis that proves there are some differences (but small), but all the rest was totally identical to Arkei.
Vidar was first noticed in October 2018 and possessed classic features of a data stealer. Vidar, dubbed “The Silent One,” is capable of harvesting such details as cookie IDs, specific documents, digital wallets, loader settings, in-depth technical information, screenshots, etc.
The malware is sold on the black market for around $700, and also comes with its own Command & Control shop portal where additional payloads can be added to the initial one. Also, Vidar's UI makes it easy for the attacker to track all of its victims, as well as deliver the instructions.
The collaboration of data stealing malware and ransomware – bad news for victims
As soon as the victim is redirected to the Fallout of GrandSoft EKs, Vidar starts collecting sensitive data and then sends it off to the hacker-controlled C2 server in a ZIP archive.
Within a minute of the initial infection, the secondary payload (in this case, GandCrab) is downloaded and installed on the system:
Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.
The dropped ransomware, GandCrab 5.0.4, is one of the most popular variants of malware currently. While a few decryption tools were already created by security experts recently, they do not always work for each of the infected files.
Nevertheless, we suggest you do not neglect comprehensive security measures when it comes to online safety. Use reputable security software that can detect malware and prevent its intrusion. Additionally, patching your operating system and software is necessary to render your PC immune to exploit kits like Fallout of GrandSoft.