At least one threat actor is using a combination of the info stealer Vidar and GandCrab ransomware to put a double whammy on their victims.
Jerome Segura, head of investigations at Malwarebytes Labs, has tracked the campaign, which uses the Fallout and GrandSoft exploit kits to first install Vidar and then a secondary payload containing GandCrab.
The first step has the attackers using a rogue advertising domain to redirect victims to one of the two EKs, depending upon their location, with Fallout being the primary EK used. The next step is to install Vidar, which can be found for sale at around US$ 700 (£548). Segura described Vidar as extremely flexible capable of stealing a wide range of content including a large number of digital wallets browser histories and instant messages. In each case, the user sets the parameters for what the malware will remove from the target.
All of the info is stored in a .zip folder and sent to the command and control server and this sets the stage for the second payload which starts within about one minute of the initial download.
"Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload," Segura said.
Once installed GandCrab will encrypt the device’s files and replace the computer’s wallpaper with the ransom note.
Time flies not only when one is having fun, but when one’s organisation is covering what is arguably the most important news topic in the world today. Cyber-security.
This article was originally published on SC Media US.