Security researchers have warned users of P2P sites of a new malvertising campaign featuring a twin threat: info-stealing malware and ransomware.
By registering rogue advertising domains, the attackers are able to direct torrent site visitors to two different exploit kits: Fallout EK and GrandSoft EK, according to Malwarebytes.
Those unlucky enough to be pushed according to geolocation to the Fallout EK will then encounter Vidar, an info-stealer available on the cybercrime underground for $700, according to the vendor’s security researcher, Jérôme Segura.
The malware will take system and victim details from the machine including specs, running processes, IP address and ISP, as well as more sensitive personal and financial info.
“Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in,” said Segura. “Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.”
Vidar also serves as a loader for second-stage malware to improve the attackers’ chances of monetizing their raid, in this case GandCrab 5.04 ransomware.
“Threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted,” explained Segura.
“As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data.”
Although many reports suggest that attackers are increasingly turning their attention away from ransomware and towards cryptomining malware, ransomware will continue to be a top threat for firms for several years to come, according to Europol.