Cybercriminals double up using Vidar and GandCrab in single attacks

At least one threat actor is using a combination of the info stealer Vidar and GandCrab ransomware to put a double whammy on their victims and increase their odds of coming away with something value during an attack.

Jerome Segura, head of investigations at Malwarebytes Labs, has tracked the campaign, which uses the Fallout and GrandSoft exploit kits to first install Vidar and then a secondary payload containing GandCrab. This tandem attack is unusual, he noted.

"We've seen attackers use ransomware (or more so wipers) to erase their tracks after a successful intrusion and theft, but that is typically more the territory of APT actors," he said.

Even more concerning is that unlike other info stealers Vidar is active and does not wait for the victim to visit a specific type of site before grabbing content. Instead it allows the user to preset the malware to search for and remove specific data sets, Segura said.

The first step has the attackers using a rogue advertising domain to redirect victims to one of the two EKs, depending upon their location, with Fallout being the primary EK used. The next step is to install Vidar, which can be found for sale on the dark web for around $700. Segura described Vidar as extremely flexible capable of stealing a wide range of content including a large number of digital wallets browser histories and instant messages.

All of the info is stored in a .zip folder and sent to the command and control server and this sets the stage for the second payload which starts within about one minute of the initial download.

“Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload,” Segura said.

Segura believes this extra level of malware is included to boost the criminal's chances of stealing something worthy in case the info stealer comes up empt.

Once installed GandCrab will encrypt the device’s files and replace the computer’s wallpaper with the ransom note.

Once installed GandCrab will encrypt the device’s files and replace the computer’s wallpaper with the ransom note.

Time flies not only when one is having fun, but when one’s organization is covering what is arguably the most important news topic in the world today. Cybersecurity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.