GandCrab returns with trojans and redundency

News by Robert Abel

The GandCrab ransomware has returned with a new set of trojans in addition to its initial infection.

The GandCrab ransomware has returned with a new set of trojans in addition to its initial infection.

The addition of new tools comes just over a week after at least one threat actor began using a combination the info stealer Vidar with the ransomware to increase their odds of taking something of value away from their attack. 

The latest attacks are using PowerShell as an entry point to deliver the first stage of the attacks rather than for encryption. 

The payload is a Base64 encoded bytecode of  portable executable (PE) which was made with the freeware automation language for Microsoft Windows, AutoIt.

"AutoIt generated PE acts as an unpacker to download other binaries from different servers and create multi layered attack scenario to cover all operating systems with different protections," Check Point researchers said in the post

"This includes downloading two types of ransomwares and trojans and monitoring the ransomware processes and relaunching them in case there was a crash and abrupt termination."

In the most recent string of attacks, Check Point researchers have spotted threat actors delivering two variants of GandCrab along with a variant of BetaBot, aka Neuvert, and AzorUlt data stealer malware as part of a secondary payload. 

The two GandCrab variants help ensure a redundancy to ensure the machine is infected in the event of a crash to help ensure the threat actor profits. 

Researchers described BetaBot as a "Swiss army knife" type of malware without a sole purpose but instead having a behaviour determined by its C2 server.

BetaBot runs first and takes several steps in order to execute properly and avoid detection and after the malware injections other binaries are downloaded from the command and control server to gather information on the victim’s machine, search for analysis and debugging tools, detect the virtual machine environment, and identity and disable certial antivirus and firewall tools. 

The info stealing malware is known to be used to steal log-in credentials and financial data although it is unclear if that is what the malware is used for in the GandCrab affiliated infections, researchers said. 

The AzorUlt variant data stealer malware is used to harvest cryptocurrency wallets saved on the machine, extract credentials saved in FTP/IM/ Email clients, and stay dormant while awaiting instructions from its command and control server.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews