Cybercriminals using combination of Vidar Infostealer Malware and GandCrab Ransomware in single attack

• Researchers identified that attackers initially used Fallout exploit kit to install Vidar malware and then a secondary payload containing GandCrab Ransomware.
• Researchers reported that once the victims are infected with Vidar Infostealer, GandCrab Ransomware will encrypt victims’ files and replace the system’s wallpaper with a ransom note for GrandCrab v5.04.

Attackers are using a combination of Vidar Malware and GandCrab Ransomware to attack victims. Security researchers from Malwarebytes investigated the campaign and detected that several exploit kits such as Fallout and GrandSoft were used to initially install Vidar malware and then a secondary payload containing GandCrab ransomware was used. However, Vidar Infostealer malware was distributed primarily via Fallout exploit kit.

The researchers stated that they spotted a secondary payload retrieved from Vidar malware’s C&C server. They further reported that the victims were first infected with Vidar Infostealer which attempted to steal victims’ sensitive information, before being compromised with the GandCrab Ransomware.

The first step features the attackers using a rogue advertising domain to redirect the victims to at least two different exploit kits such as Fallout and GrandSoft, based on their geolocation and provenance.

Vidar's capabilities

Vidar malware is sold as a product and can be distributed by several hacker groups through multiple campaigns.

• The malware can extract credit card numbers and other credentials stored in various applications.
• The stealer can also steal from an impressive selection of digital wallets.
• Once it starts running, Vidar will scan for any data specified in its profile configuration and send it back to the C&C server through an unencrypted HTTP POST request.

“Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload,” the researchers said.

Once infected with Vidar malware, GandCrab Ransomware will encrypt victims’ files and replace the system’s wallpaper with a ransom note for GandCrab v5.04.