Cyber criminals combining Vidar & GandCrab malware to infect devices

Cyber criminals combining Vidar & GandCrab malware to infect devices

Hackers target critical infrastructure facility using Triton framework

Security researchers have discovered a new malvertising campaign that involves hackers using a unified command and control server to first deploy Vidar, a credential-stealing malware into victim systems, followed by a potent ransomware to encrypt information stored in such devices.

In a blog post, Malwarebytes researcher Jerome Segura revealed that while tracking a prolific malvertising campaign, he and his colleagues came across a new technique being employed by hackers- combining a credential-stealing malware and a ransomware to derive maximum advantage from their campaign.

The researchers observed that a threat actor used the Fallout exploit kit to inject Vidar, a new credential-stealing malware that shares certain similarities with the Arkei malware, into a victim’s system. The unique feature of Vidar is that those deploying it can choose what information to scrape from computers- from credit card numbers to passwords to information from digital wallets. Information scraped from devices by Vidar is sent by the malware to a remote command and control server.

“Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.

“This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server,” wrote Segura.

Vidar allows hackers to download additional payload

The researchers then observed that Vidar also allows its authors to download additional malware via its command and control server, and using this feature, the threat actor installed the GandCrab ransomware into a victim’s system within minutes after Vidar was deployed. The ransomware instantly encrypted files stored in the device and hijacked the wallpaper to inform the victim that his.her files have been encrypted.

“Threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.

“As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data,” Segura added.

In order to prevent malware such as Vidar or Gandcrab from infecting their systems, users may use anti-exploit and anti-malware tools that are capable of mitigating Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit.


New Android malware communicates with cyber criminals via Twitter

New malware consists of ransomware, cryptocurrency miners and botnet features

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]