A multi-payload and ongoing malvertising campaign is distributing a newly discovered info-stealer as well as the GandCrab ransomware.
The info-stealer is named Vidar, after the Norse god Víðarr, who was the son of Odin in mythology. According to researcher Fumik0, who discovered it in December, Vidar steals documents, cookies and browser histories (including from Tor), currency from wide array of cryptocurrency wallets, data from 2FA software and text messages, plus it can take screenshots. The package also offers malware operators Telegram notifications for important logs. And lastly, threat actors can customize the stealer via profiles, which allows them to specify the kind of data they are interested in.
Now, researchers have observed Vidar being delivered via the Fallout exploit kit in advance of the secondary GandCrab ransomware – as part of an aggressive malvertising campaign.
“Torrent and streaming video sites drive a lot of traffic, and their advertising is often aggressive and poorly-regulated,” Malwarebytes researcher Jérôme Segura detailed, in a post last week. “A malicious actor using a rogue advertising domain is redirecting these site visitors according to their geolocation and provenance to at least two different exploit kits (Fallout EK and GrandSoft EK), although the former is the most active.”
In its campaign analysis, researchers saw that Vidar will search for any data specified in its profile configuration and immediately send it back to the command-and-control (C2) server via an unencrypted HTTP POST request. This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.
After that, Vidar can download additional malware – in this case, GandCrab.
“This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload,” Segura explained. “However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of ‘ok’ instead of a URL.”
If it downloads the ransomware, the victim’s files will be encrypted and the machine’s wallpaper hijacked to display the note for GandCrab version 5.04. All of this takes place with one minute of the initial Vidar infection, according to the researcher.
“Threat actors can use ransomware for a variety of reasons within their playbook,” Segura explained. “It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.”
So, not only are the victims robbed, but they’re also subjected to extortion to gain control again of their files.
“What makes this new mix novel and potent is its multi-pronged effort to establish an infection path—its use of the digital ad supply chain to spread its reach, two exploit kits to infect machines with a new data theft trojan, followed by ransomware that locks users out of their machines,” said Mike Bittner, digital security and operations manager for The Media Trust, via email.
He added that in order to avoid inadvertently participating in the scheme, operators and owners of ad-supported websites should make sure their ads and websites are free of malicious third-party code – which he admits is a tall order.
“An ad-supported site can have hundreds, if not thousands, of third-party code executed by often unknown, constantly changing third-party code providers,” he said. “But just as you would monitor who enters your home, you should scan ads and sites in order to identify and, if needed, terminate any unauthorized code at their source.”
