Researchers at Malwarebytes have reported on a new malware campaign that uses a new variant of Arkei malware, which they’ve named Vidar. The campaign, which they tracked for several weeks, begins with malicious advertising (malvertising) and results in the installation of information stealing malware, which then installs GandCrab ransomware.
The information stealing malware most commonly installed by this campaign was AZORult, however researchers focused on a new variant of the Arkei malware, which due to a string found in the sample, has been dubbed Vidar. The name Vidar is the anglicized version of the name of a god from Norse mythology, a son of Odin also known as “the silent one.” The name seems appropriate given that the malware functions as an information stealer. Vidar malware, sold on dark web sites for up to $700 for the Pro version, can be customized by attackers to extract specific data from infected systems.
This campaign is the latest in an increasingly common scenario where malware attackers provide a “two-for-one” attack. In these situations, the first malware deployed is an information stealer, in order to extract personal data (passwords, credit card details, digital wallets, etc). Once the infected system has been pillaged of commoditized data, ransomware is then installed to provide the attacker with the potential for more profit.
In this case, malicious advertisements, most commonly displayed on sites associated with torrenting and illegal video streaming redirect users to exploit kit sites. Exploit kits are the original fileless attack vector, here targeting vulnerabilities in Internet Explorer and Adobe Flash Player. Successful exploitation result in an infection by Vidar, which immediately searches the system for the data its configuration file instructed it to locate. Any data matching the configuration criteria is then combined with of the infected system details, zipped and sent to the configured command and control (C2) server. At this point, normally around one minute after initial infection, GandCrab ransomware is downloaded and executed, encrypting the user’s files.
How Does It Propagate?
Neither malware samples contain the necessary code to self-propagate.
The infection chain in this attack highlights where good security practices can provide the first line of defense. Initially a user is redirected by malicious advertisements, which are common to torrent and illegal video streaming sites. Users should be educated to avoid these activities at home, let alone on the corporate network. The redirection is to exploit kit sites that attempt to utilize vulnerabilities in Internet Explorer and Adobe Flash player. Successful exploitation results in a Vidar malware infection. This highlights the need for a timely patching process and the removal of obsolete software to reduce the potential attack surface.
When/How Did BluVector Detect It?
The two samples listed in Malwarebyte’s report were released into the wild in December 2018 and both are detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the Vidar sample would have been detected 8 months prior to its release and the GandCrab ransomware sample a full 60 months prior.