Rewterz Threat Advisory – Vidar and GrandCrab Stealer and Ransomware emerging in the Wild as a pair

SEVERITY: High

CATEGORY: Data breach

ANALYSIS SUMMARY

GrandCrab ransomware and vidar stealer are here to attack Windows-based servers and PCs. The combo operates through a malvertising chain. Their advertising is often aggressive and poorly regulated. A malicious actor using a rogue advertising domain redirects site visitors to different fallout kits according to their geolocation, in which vidar is the most actively noted, which extracts confidential information before eventually being compromised with GrandCrab ransomware.

VIDAR 

It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.

Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.

Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.
This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information[.]txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.

GRANDCRAB

Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.
Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper will be hijacked to display the ransom note for GrandCrab version 5.04.

Once the files are encrypted, the victim is asked for a ransom payment in order to get their files decoded.

IMPACT

• Leaking of confidential, financial and personal information.
• Extortion to recover encrypted data.

INDICATORS OF COMPROMISE

URLS

• ovz1.fl1nt1kk.10301.vps.myjino[.]ru/topup.exe
• kolobkoproms[.]ug

MALWARE HASHES

• E99DAF10E6CB98E93F82DBE344E6D6B483B9073E80B128C163034F68DE63BE33
• ABF3FDB17799F468E850D823F845647738B6674451383156473F1742FFBD61EC

REMEDIATION

Never trust and never click on:

• The emails you weren’t expecting, especially those coming from unfamiliar senders.
• All the pop-ups on your screen even if they look harmless.
• The ads found on Internet while browsing, like banners and others.