New Malvertising Campaign Delivers Vidar Stealer Plus Ransomware

Malwarebytes Labs has uncovered a new malvertising campaign in the wild that delivers a one-two punch: the Vidar data stealer and GrandCrab ransomware.

A new malvertising campaign spotted in the wild is delivering a malicious one-two punch to victims: The first is the data stealer Vidar and the second is the GrandCrab ransomware strain, according to a recent report.
Researchers at Malwarebytes Labs first took notice of the malvertising campaign and published their findings in a
January 4 blog post
. Its not clear who is behind this particular attack or how widespread it is right now, but the report noted that the threat actors are essentially using off-the-shelf tools, including the Fallout exploit kit, which takes advantage of flaws in Adobe Flash and Microsoft Internet Explorer, to deliver these malicious payloads
This campaign has its origins in the advertising that usually accompanies torrent and streaming video. The person or group behind this particular campaign used this poorly regulated system to create a rogue advertising domain and redirect users to different exploit kits, including Fallout.
Its through these exploit kits that the one-two punch is delivered -- the stealer first followed by the ransomware.
How the malvertising campaign works

(Source:
Malwarebytes
)
At first, the researcher believed that the stealer being used was an older piece of malware called Arkei. However, further tests came up with Vidar, which has only been active since October 2018, but shares similarities with Arkei.
Vidar --
its name has origins in Norse mythology
-- is written in C++ and it highly customizable. It has the capability to swipe and steal personal data from any number of web browsers, including Tor. Additionally, it can steal cryptocurrency wallets, data from two-factor authentication software, instant messages and much more,
according to an independent analysis
.
On the Dark Web, the Vidar kit can be bought for as little as $700.
However, when the researcher traced the campaign back to the command-and-control (C&C) server, they noticed that the attackers had a second malicious payload ready to be delivered once the Vidar stealer started its work.
Vidar also offers to download additional malware via its command and control server, according to the Malwarebytes blog. This is known as the loader feature, and again, it can be configured within Vidars administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of ok instead of a URL.
This then leads to the second part of the attack, GrandCrab, which is what some security researchers refer to as ransomware-as-service, as it relies on third-parties to help spread it. (See
Kraken Cryptor Update Points to Rise of Ransomware-as-a-Service
.)
GrandCrab ransom email
(Source:
Malwarebytes
)
Unlike other ransomware, GrandCrab is frequently updated -- the current version is 5.0.4 -- which helps it evade security software. Malwarebytes recommends that businesses update and patch IE and Flash to avoid this particular campaign before the ransomware can be downloaded.
Related posts:
Sophisticated Malvertising Campaign Involves 10,000 WordPress Sites
Trend Micro Finds 89 Malicious Chrome Extensions Dispensing Malvertising
Ryuk Ransomware Tied to Printing Press & Cloud Service Provider Attacks
4 Global Cybersecurity Threats for 2019
— Scott Ferguson is the managing editor of Light Reading and the editor of
Security Now
. Follow him on Twitter
@sferguson_LR
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Malvertising Campaign Delivers Vidar Stealer Plus Ransomware