Cybercriminals have launched a cyber attack that secretly infiltrates systems with malware that steals data. Then ransomware is placed on the infected system. Malwarebytes researchers are writing about the attack.

The campaign uses exploits in Internet Explorer and Flash Player, which were delivered in the Fallout exploit kit. Malwarebytes states that the campaign is distributed through a malvertising campaign, which focuses on high-traffic torrent and streaming sites. The campaign sends users to two rogue payloads.

The first payload is Vidar, a relatively new form of malware that focuses on large amounts of information from victims. These include passwords, documents, Internet history, credit card details and screenshots. Vidar can also focus on virtual wallets containing cryptographic currency. The malware can be modified and has been spread by various cyber criminals in different campaigns.

Vidar is designed to work in secret. As a result, victims are not aware that their systems are infected. The attacker can steal the private information in a packet, which is sent to a command-and-control (C&C) server. This C&C server also acts as a downloader for other forms of malware. Researchers have seen that the server was also used to distribute GrandCrab-ransomware.

GrandCrab

GrandCrab is one of the most active families of ransomware currently used. It is regularly updated with new features to make it more powerful. It also makes it more difficult for security software to detect and analyse the ransomware.

In this case, GrandCrab version 5.04 is placed on a system about one minute after the first Vidar infection. The system is encrypted and a ransom request message appears. It asks for a payment in bitcoin or dash, in exchange for unlocking the files.

It is also possible that GrandCrab will be placed to ensure that victims do not discover the Vidar malware. Another possibility is to try to destroy the infected system.

To prevent users from falling victim to the campaign, Malwarebytes security researcher Jérôme Segura recommends keeping systems up-to-date. “We also recommend web protection and ad blockers to prevent you from being redirected to malicious payloads via malvertising.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.