We have been tracking a prolific malvertising campaign for several weeks and captured a variety of payloads, including several stealers.
One that we initially identified as Arkei turned out to be Vidar, a new piece of malware recently analyzed in detail by Fumik0_ in his post: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis).
Being referred to as “The Silent One” seems to be fitting for this stealer that can loot from browser histories (including the Tor Browser) and cryptocurrency wallets, capture instant messages, and more.
We witnessed a threat actor using the Fallout exploit kit to distribute Vidar. But victims won’t notice that as much, as the secondary and noisier payload being pushed is GandCrab ransomware.
A malvertising chain leads us to the Fallout exploit kit followed by what we thought was an Arkei stealer. Upon a closer look, while the sample did share many similarities with Arkei (including network events), it was actually a newer and not yet publicly described piece of malware now identified as Vidar.
Beyond Vidar’s stealer capabilities, we also noticed a secondary payload that was retrieved from Vidar’s own command and control (C2) server.
The infection timeline showed that victim(s) were first infected with Vidar, which tried to extract confidential info before eventually being compromised with the GandCrab ransomware.
Malvertising & Fallout exploit kit:
Torrent/streaming video sites drive a lot of traffic, and their advertising is often aggressive and poorly-regulated.
A malicious actor using a rogue advertising domain is redirecting these site visitors according to their geolocation and provenance to at least two different exploit kits (Fallout EK and GrandSoft EK), although the former is the most active.
Stealers such as AZORult seem to be the a favorite payload here, but we also noticed that Arkei/Vidar was quite common.
In this particular instance, we noticed Vidar being pushed via the Fallout exploit kit.
It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.
Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in.
Beyond the usual credit card numbers and other passwords stored in apps, Vidar can also scrape an impressive selection of virtual wallets.
Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.
This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.
GandCrab as a loader:
Vidar also offers to download additional malware via its command and control server.
This is known as the loader feature, and it can be configured within Vidar’s administration panel by adding a direct URL to the payload.
However, not all instances of Vidar will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.
HTTP/1.1 200 OK Date: Content-Type: text/html; charset=UTF-8 Connection: keep-alive Server: Pro-Managed Content-Length: 51 http://ovz1.fl1nt1kk.10301.vps.myjino[.]ru/topup.exe;
Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper hijacked to display the note for GandCrab version 5.04.
Ransomware as a last payload:
While ransomware experienced a mild slowdown in 2018, it is still one of the most dangerous threats.
However, threat actors can use ransomware for a variety of reasons within their playbook.
It could be, for example, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data.
As we see here, though, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.
As a result, victims get a double whammy. Not only are they robbed of their financial and personal info but they are also being extorted to recover the now encrypted data.