Using Internet Explorer and Flash Player exploits delivered in the Fallout exploit kit, the campaign is distributed by what researchers at Malwarebytes describe as a ‘prolific’ malvertising campaign targeting high-traffic torrent and streaming sites and redirecting users towards two malicious payloads.
The first is Vidar, a relatively new form of malware that targets vast amounts of victims’ information — passwords, documents, screenshots, browser histories, messaging data, credit card details, and even data stored in two-factor authentication software.
Vidar can also target virtual wallets storing Bitcoin and other cryptocurrencies — the malware is highly customizable and has been distributed by several threat groups in different campaigns. It appears to be named after Norse God Víðarr the Silent — a name the authors may have chosen to reflect its stealthy capabilities.
Like other data-stealers, Vidar is designed to operate secretly, leaving victims unaware that their systems have been compromised, while the attacker makes off with private information that’s packaged up and sent to a command-and-control (C&C) server.
But that isn’t the end of the attack, as Vidar’s C&C server also operates as a downloader for additional forms of malware; researchers have spotted it being used to distribute GandCrab ransomware.
GandCrab is one of the most active families of file-encrypting malware currently in operation: it is regularly updated with new features designed to make it more potent, and harder for security software to detect and analyze.
In this case, GandCrab version 5.04 is dropped onto the system about a minute after the initial Vidar infection. The system is then encrypted and a ransom note displayed, demanding a payment in either Bitcoin or Dash in exchange for retrieving the files.
A moneymaking operation in its own right, it’s also possible that GandCrab is delivered to victims in an effort to stop them uncovering the initial Vidar information-stealer payload, or worse — an outright attempt to destroy the infected system.
“It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted,” said Jérôme Segura, security researcher head of investigations at Malwarebytes.
“As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data,” he added.
To avoid falling victim to this campaign, Segura told ZDNet that “Keeping your systems up to date ensures that you will not be infected via drive-by downloads that use already patched vulnerabilities”
“We also recommend web protection and ad blockers to prevent malicious redirections triggered from malvertising,” he said.
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10,CHFI,ECSAv10,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India