Attackers are using a combination of Vidar Malware and GandCrab Ransomware to attack victims. Security researchers from Malwarebytes investigated the campaign and detected that several exploit kits such as Fallout and GrandSoft were used to initially install Vidar malware and then a secondary payload containing GandCrab ransomware was used. However, Vidar Infostealer malware was distributed primarily via Fallout exploit kit.
The researchers stated that they spotted a secondary payload retrieved from Vidar malware’s C&C server. They further reported that the victims were first infected with Vidar Infostealer which attempted to steal victims’ sensitive information, before being compromised with the GandCrab Ransomware.
The first step features the attackers using a rogue advertising domain to redirect the victims to at least two different exploit kits such as Fallout and GrandSoft, based on their geolocation and provenance.
Vidar malware is sold as a product and can be distributed by several hacker groups through multiple campaigns.
“Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload,” the researchers said.
Once infected with Vidar malware, GandCrab Ransomware will encrypt victims’ files and replace the system’s wallpaper with a ransom note for GandCrab v5.04.