Threat Management, Incident Response, Malware, TDR

GandCrab returns with trojans and redundency

The GandCrab ransomware has returned with a new set of trojans in addition to its initial infection.

The addition of new tools comes just over a week after at least one threat actor began using a combination the info stealer Vidar with the ransomware to increase their odds of taking something of value away from their attack.

The latest attacks are using PowerShell as an entry point to deliver the first stage of the attacks rather than for encryption.

The payload is a Base64 encoded bytecode of  portable executable (PE) which was made with the freeware automation language for Microsoft Windows, AutoIt.

“AutoIt generated PE acts as an unpacker to download other binaries from different servers and create multi layered attack scenario to cover all operating systems with different protections,” Check Point researchers said in the post.

“This includes downloading two types of ransomwares and trojans and monitoring the ransomware processes and relaunching them in case there was a crash and abrupt termination.”

In the most recent string of attacks, Check Point researchers have spotted threat actors delivering two variants of GandCrab along with a variant of BetaBot, aka Neuvert, and AzorUlt data stealer malware as part of a secondary payload.

The two GandCrab variants help ensure a redundancy to ensure the machine is infected in the event of a crash to help ensure the threat actor profits.

Researchers described BetaBot as a “Swiss army knife” type of malware without a sole purpose but instead having a behavior determined by its C2 server,

BetaBot runs first and takes several steps in order to execute properly and avoid detection and after the malware injections other binaries are downloaded from the command and control server to gather information on the victim’s machine, search for analysis and debugging tools, detect the virtual machine environment, and identity and disable certial antivirus and firewall tools.

The info stealing malware is known to be used to steal log-in credentials and financial data although it is unclear if that is what the malware is used for in the GandCrab affiliated infections, researchers said.

The AzorUlt variant data stealer malware is used to harvest cryptocurrency wallets saved on the machine, extract credentials saved in FTP/IM/ Email clients, and stay dormant while awaiting instructions from its command and control server.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.