Cyber criminals are targeting victims with a two-pronged attack that secretly infiltrates systems with data-stealing malware, before dropping ransomware onto the infected system.
Using Internet Explorer and Flash Player exploits delivered in the Fallout exploit kit, the campaign is distributed by what researchers at Malwarebytes describe as a 'prolific' malvertising campaign targeting high-traffic torrent and streaming sites and redirecting users towards two malicious payloads.
The first is Vidar, a relatively new form of malware that targets vast amounts of victims' information -- passwords, documents, screenshots, browser histories, messaging data, credit card details, and even data stored in two-factor authentication software.
Vidar can also target virtual wallets storing Bitcoin and other cryptocurrencies -- the malware is highly customisable and has been distributed by several threat groups in different campaigns. It appears to be named after Norse God Víðarr the Silent -- a name the authors may have chosen to reflect its stealthy capabilities.
Like other data-stealers, Vidar is designed to operate secretly, leaving victims unaware that their systems have been compromised, while the attacker makes off with private information that's packaged up and sent to a command-and-control (C&C) server.
But that isn't the end of the attack, as Vidar's C&C server also operates as a downloader for additional forms of malware; researchers have spotted it being used to distribute GandCrab ransomware.
SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version
GandCrab is one of the most active families of file-encrypting malware currently in operation: it is regularly updated with new features designed to make it more potent, and harder for security software to detect and analyse.
In this case, GandCrab version 5.04 is dropped onto the system about a minute after the initial Vidar infection. The system is then encrypted and a ransom note displayed, demanding a payment in either Bitcoin or Dash in exchange for retrieving the files.
A moneymaking operation in its own right, it's also possible that GandCrab is delivered to victims in an effort to stop them uncovering the initial Vidar information-stealer payload, or worse -- an outright attempt to destroy the infected system.
"It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted," said Jérôme Segura, security researcher head of investigations at Malwarebytes.
"As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data," he added.
To avoid falling victim to this campaign, Segura told ZDNet that: "Keeping your systems up to date ensures that you will not be infected via drive-by downloads that use already patched vulnerabilities. We also recommend web protection and ad blockers to prevent malicious redirections triggered from malvertising."
READ MORE ON CYBER CRIME
- Ransomware: Not dead, just getting a lot sneakier
- US charges Iranian hackers over ransomware attacks on major cities [CNET]
- Giant ransomware bundle threatens to make malware attacks easier for crooks
- How SMBs can minimize damage from ransomware attacks [TechRepublic]
- This destructive wiper ransomware was used to hide a stealthy hacking campaign