Security researchers have discovered a new malvertising campaign that involves hackers using a unified command and control server to first deploy Vidar, a credential-stealing malware into victim systems, followed by a potent ransomware to encrypt information stored in such devices.
In a blog post, Malwarebytes researcher Jerome Segura revealed that while tracking a prolific malvertising campaign, he and his colleagues came across a new technique being employed by hackers- combining a credential-stealing malware and a ransomware to derive maximum advantage from their campaign.
The researchers observed that a threat actor used the Fallout exploit kit to inject Vidar, a new credential-stealing malware that shares certain similarities with the Arkei malware, into a victim’s system. The unique feature of Vidar is that those deploying it can choose what information to scrape from computers- from credit card numbers to passwords to information from digital wallets. Information scraped from devices by Vidar is sent by the malware to a remote command and control server.
“Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.
“This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server,” wrote Segura.
Vidar allows hackers to download additional payload
The researchers then observed that Vidar also allows its authors to download additional malware via its command and control server, and using this feature, the threat actor installed the GandCrab ransomware into a victim’s system within minutes after Vidar was deployed. The ransomware instantly encrypted files stored in the device and hijacked the wallpaper to inform the victim that his.her files have been encrypted.
“Threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.
“As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data,” Segura added.
In order to prevent malware such as Vidar or Gandcrab from infecting their systems, users may use anti-exploit and anti-malware tools that are capable of mitigating Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit.