Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
SEVERITY: High
CATEGORY: Data breach
ANALYSIS SUMMARY
GrandCrab ransomware and vidar stealer are here to attack Windows-based servers and PCs. The combo operates through a malvertising chain. Their advertising is often aggressive and poorly regulated. A malicious actor using a rogue advertising domain redirects site visitors to different fallout kits according to their geolocation, in which vidar is the most actively noted, which extracts confidential information before eventually being compromised with GrandCrab ransomware.
VIDAR
It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.
Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.
Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.
This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information[.]txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.
GRANDCRAB
Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.
Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper will be hijacked to display the ransom note for GrandCrab version 5.04.
Once the files are encrypted, the victim is asked for a ransom payment in order to get their files decoded.
IMPACT
INDICATORS OF COMPROMISE
URLS
MALWARE HASHES
REMEDIATION
Never trust and never click on: