Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

1/8/2019
08:15 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

New Malvertising Campaign Delivers Vidar Stealer Plus Ransomware

Malwarebytes Labs has uncovered a new malvertising campaign in the wild that delivers a one-two punch: the Vidar data stealer and GrandCrab ransomware.

A new "malvertising" campaign spotted in the wild is delivering a malicious one-two punch to victims: The first is the data stealer Vidar and the second is the GrandCrab ransomware strain, according to a recent report.

Researchers at Malwarebytes Labs first took notice of the malvertising campaign and published their findings in a January 4 blog post. It's not clear who is behind this particular attack or how widespread it is right now, but the report noted that the threat actors are essentially using off-the-shelf tools, including the Fallout exploit kit, which takes advantage of flaws in Adobe Flash and Microsoft Internet Explorer, to deliver these malicious payloads

This campaign has its origins in the advertising that usually accompanies torrent and streaming video. The person or group behind this particular campaign used this poorly regulated system to create a rogue advertising domain and redirect users to different exploit kits, including Fallout.

It's through these exploit kits that the one-two punch is delivered -- the stealer first followed by the ransomware.

At first, the researcher believed that the stealer being used was an older piece of malware called Arkei. However, further tests came up with Vidar, which has only been active since October 2018, but shares similarities with Arkei.

Vidar -- its name has origins in Norse mythology -- is written in C++ and it highly customizable. It has the capability to swipe and steal personal data from any number of web browsers, including Tor. Additionally, it can steal cryptocurrency wallets, data from two-factor authentication software, instant messages and much more, according to an independent analysis.

On the Dark Web, the Vidar kit can be bought for as little as $700.

However, when the researcher traced the campaign back to the command-and-control (C&C) server, they noticed that the attackers had a second malicious payload ready to be delivered once the Vidar stealer started its work.

"Vidar also offers to download additional malware via its command and control server," according to the Malwarebytes blog. "This is known as the loader feature, and again, it can be configured within Vidar's administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of "ok" instead of a URL."

This then leads to the second part of the attack, GrandCrab, which is what some security researchers refer to as ransomware-as-service, as it relies on third-parties to help spread it. (See Kraken Cryptor Update Points to Rise of Ransomware-as-a-Service.)

Unlike other ransomware, GrandCrab is frequently updated -- the current version is 5.0.4 -- which helps it evade security software. Malwarebytes recommends that businesses update and patch IE and Flash to avoid this particular campaign before the ransomware can be downloaded.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.