Users become victims by visiting a deceptive advertisement webpage which uses Fallout and GrandSoft exploit kits to infect, depending on the geolocation and origin. After the exploit kits are accessed, Vidar malware, which was thought to be an Arkei stealer initially, attempts to steal user’s information. Once it runs its course, the GandCrab ransomware then begins operating. The malware itself is sold to hacker groups and can be used in multiple campaigns. Vidar malware will begin its scan based on how its profile was configured. It has the ability to steal credit card numbers and content from Bitcoin wallets as well as other credentials. The information and content are then sent back to the C&C server by using an unencrypted HTTP POST request. GandCrab then encrypts files and places a ransom note on the system’s wallpaper.
Analyst Notes
Users must always be careful when using an unfamiliar webpage. Do not click on anything that looks suspicious. If this does happen to users and information is compromised, they should contact the appropriate agencies to help prevent further damage from being done.
