Posted on January 8, 2019 at 4:28 PM
Two-Malware Collaboration Detected — Vidar and GandCrab Infecting Unpatched Systems
As many cybersecurity experts have predicted — the increase in number and severity of malware attacks that was noticed in the last several years is going at full speed in 2019 as well. The largest recent threat is actually coming from two pieces of malicious software that seem to be working together in the new campaign. The malware in question includes a data-stealing Trojan called Vidar and a ransomware GandCrab.
Vidar
Vidar is a relatively new type of malware which infects victims’ computers by exploiting Internet Explorer and Flash Point flaws, which were believed to be delivered in the Fallout exploit kit. According to researchers from Malwarebytes, the campaign involving this malware targets high-traffic streaming and torrenting websites, where it tends to redirect users towards two malicious payloads, with Vidar being one of them.
After infecting victims’ device, Vidar immediately starts collecting large amounts of data, including documents, browser history, passwords, credit card data, messages, and even screenshots and two-factor authentication data. Experts have stated that this particular malware can also target cryptocurrency wallets, as it is very customizable, and numerous hacking groups have already modified it and deployed it for their own purposes.
It is allegedly named after Víðarr the Silent, which is one of the gods from the Norse mythology. According to researchers, the name is quite appropriate, as this malware has highly advanced stealth capabilities. As such, it is difficult to detect, and most of its targets remain unaware of its presence for a long time. Meanwhile, Vidar continues to collect data and send it to a C&C server, operated by the hacker who sent it.
GandCrab
The second malicious payload that is troubling numerous internet users right now is GandCrab, which is believed to be working together with Vidar. Researchers believe that this might be the case due to the fact that GandCrab has been making a move on victim’s computers in mere seconds after the device gets infected by Vidar.
As ransomware, GandCrab can encrypt victims files, while the device gets hijacked, and it displays a note, notifying the victim that their computer has been hacked, and demanding payment in order to receive a decryption key.
GandCrab already has numerous versions, most of which can be decrypted by using a free online tool. This tool can help with versions 1, 4, 5, up to 5.02. However, the current version is v5.04, which cannot be decrypted without paying the ransom. Even if the victim decides not to pay the ransom, the hacker will still make a profit due to the fact that Vidar is functioning in the background, likely uninterrupted by the ransomware.
The collaboration of the two pieces of malware rewards hackers with a double reward (if the victim decides to pay), while their targets have to deal with twice the amount of malicious threats. Malwarebytes’ Jerome Segura has confirmed this, stating that the victims are not only robbed of their personal and financial data, but they also have to pay the ransom if they wish to recover any files on their device.
Segura also added that the best way to deal with the campaign is to ensure that the computer’s system is up to date, which will hopefully prevent an accidental infection. This can help due to the fact that the two malware tend to use vulnerabilities that are already well-known and patched. The only reason why they still work is that users have failed to download said patches. In addition, the researcher recommends updated web protection software, ad blockers, and similar tools that will prevent redirection to malicious sites.
