Delaware, USA – January 9, 2019 – One of the threat actors behind the malvertising campaign distributes Vidar infostealer to collect credentials and install GandCrab ransomware as a secondary payload. Experts from Malwarebytes discovered this threat during the investigation of a massive malvertising campaign which redirects its victims to Fallout and GrandSoft exploit kit landing pages, but only the Fallout EK drops Vidar infostealer. This malware has been selling just for $700 on Darknet for several months, so we can assume that it was weaponized by the operators of Fallout EK interested in getting the maximum profit from their campaigns. Vidar is based on the code of Arkei malware and is designed to collect system information, steal user credentials and browser history (including Tor), hijack wallets and data from 2FA software, as well as download and install additional malware. In this campaign, infostealer downloads the latest version of GandCrab ransomware immediately after Vidar has collected all the available data and sent it to the command and control server. It takes only about a minute from the beginning of the infection to the file encryption.
Threat actors behind the Fallout exploit kit have been using different Ransomware-as-a-Service platforms for several months, switching between them as updates are released. Using the infostealer is especially dangerous for victims who are willing to pay for decrypting files, as in this case Vidar will remain in the system and continue spying after decryption, ready to download an additional payload at any time at the request of adversaries.
To discover the latest version of GandCrab, you can use updated rules from Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/1356/