CATEGORY: Data breach
GrandCrab ransomware and vidar stealer are here to attack Windows-based servers and PCs. The combo operates through a malvertising chain. Their advertising is often aggressive and poorly regulated. A malicious actor using a rogue advertising domain redirects site visitors to different fallout kits according to their geolocation, in which vidar is the most actively noted, which extracts confidential information before eventually being compromised with GrandCrab ransomware.
It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.
Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.
Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.
This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information[.]txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.
Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.
Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper will be hijacked to display the ransom note for GrandCrab version 5.04.
Once the files are encrypted, the victim is asked for a ransom payment in order to get their files decoded.
INDICATORS OF COMPROMISE
Never trust and never click on: