Quote:Jerome Segura, head of investigations at Malwarebytes Labs, has tracked the campaign, which uses the Fallout and GrandSoft exploit kits to first install Vidar and then a secondary payload containing GandCrab.

The first step has the attackers using a rogue advertising domain to redirect victims to one of the two EKs, depending upon their location, with Fallout being the primary EK used. The next step is to install Vidar, which can be found for sale at around $700. Segura described Vidar as extremely flexible capable of stealing a wide range of content including a large number of digital wallets browser histories and instant messages. In each case, the user sets the parameters for what the malware will remove from the target.

All of the info is stored in a .zip folder and sent to the command and control server and this sets the stage for the second payload which starts within about one minute of the initial download.

“Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload,” Segura said.

Once installed GandCrab will encrypt the device’s files and replace the computer’s wallpaper with the ransom note.