Vidar is a relatively new keylogging, data-stealing malware campaign. It is generally distributed through malicious advertisements, a common hacking technique, on less-than-reputable sites such as bit torrent or free video streaming sites. These malvertisements redirect their victims to various exploit kits such as Fallout and GrandSoft, which in turn will infect your machine with various malevolent payloads such as Vidar.

How it works

Vidar is sold or rented as a service to the blackhats. For the low price of $700 they are able to utilize Vidar’s distribution system to spread their own malware. They can even customize it to steal a variety of your sensitive data such as browser history, website logins, credit card numbers, and cryptocurrency wallets.

One of the more common payloads is the ransomware called GandCrab. Ransomware is exactly what it sounds like – it encrypts your files and demands payment in order to decrypt them. SUPERAntiSpyware detects many variants of the GandCrab ransomware. Our researchers are hard at work daily to detect more variants and help combat this threat.

Unfortunately once your system becomes infected with ransomware like GandCrab, there are few options for you. You can either pay the ransom and hope they unlock your files, or you may get lucky and find that a decryptor has been created. Currently there are decryptors for some versions of GandCrab (V1, V4, and V5). It is worth noting that these decryptors, while definitely helpful, do not always work perfectly for all encrypted files. The final option is less appealing – wipe your system and reinstall Windows. The upside is that you should be able to use your computer again without paying. The downside is that you will have lost all your documents.

Our suggestion to protect yourself from ransomware is relatively simple: Back up your files. Being able to restore your important documents from a cloud or local backup is the best way to thwart a ransomware attack. Keeping your system up to date with software patches is also something we recommend to help protect yourself.

Who is affected

Due to the way it is distributed, Vidar does not target individuals or businesses directly. It relies on people clicking on their malicious advertisements. In general, you should avoid clicking ads online, no matter how enticing. Something interesting about GandCrab is that it has been known to check if you have a Russian keyboard layout, and if so it terminates its execution immediately.

Indicators of compromise

Vidar itself is very stealthy, doing its data thievery quickly and silently in the background. It’s very likely that you won’t even know that Vidar has hit you until it drops its payload. Vidar drops some text files onto your system into ProgramData\(random string)\ and ProgramData\(random string)\files\. These files contain passwords and other information that Vidar has stolen. There may also be a zipped file containing copies of these text files.

The most common malware delivered by Vidar has been GandCrab ransomware. Within a minute or so, GandCrab will change your Windows background to something similar to this:

There will be an HTML or text file called (random)-DECRYPT dropped into every folder where files have been encrypted by GandCrab, containing instructions on how to pay the ransom to get your documents back. You will also notice that the encrypted files will have their extension changed to something random instead of the correct extension:

Here is a list of file types that may be targeted for encryption by GandCrab:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

What you can do

SUPERAntiSpyware detects many variants of Vidar, however new versions are being created all the time so make sure to always update to the latest database version. Also, upgrading to Real-Time protection will dramatically increase your level of protection from this threat.

Installing an Ad Blocker on your computer can help stop Vidar at its source, however one of the best practices is to refrain from clicking on any advertisements online.

If your files have been encrypted by GandCrab, you may still be able to decrypt them. Various companies and individuals create ransomware decryptors and release them on the internet. These decryptors are specifically designed to unlock files that were encrypted with a particular version of ransomware, so make sure to note the version of GandCrab when looking for a decryptor – the version we were infected with was 5.0.4. No More Ransom is a repository of most of the decryptors available and is always being updated.

If you are not able to find a decryptor that works, SUPERAntiSpyware suggests that you do not pay the ransom. There is no guarantee that the blackhats will unlock your files once they receive your payment. In 2018 it was reported that paying the ransom actually gets your files decrypted less than 50% of the time. If your data is extremely crucial, we suggest you contact a company who specializes in data recovery services.

HOW TO REMOVE Vidar/GandCrab

1. Using an uninfected system, search the internet for a decryptor for your particular version of GandCrab and copy it to a USB drive – I would suggest starting with No More Ransom
2. Restart the infected computer in Safe Mode with Networking
3. Insert the USB drive with the decryptor, copy it to the desktop, then eject and remove the drive
4. Run the decryptor
5. Assuming the decryptor is successful, update your SUPERAntiSpyware to the latest database version and run a complete scan to remove any traces of Vidar from your system
6. If the decryptor does not work, you can take your computer to a data recovery expert

Hancitor, also known as Chanitor, is known for dropping its payloads rather than downloading them post-infection, as well as for a unique phishing approach to trick users into downloading and activating Microsoft Word documents with malicious macros.

How it works

Hancitor uses a new template that attempts to fool the user into believing that it is a FedEx tracking number. There is no attachment, however; instead, the tracking number link directs the user to the sjkfishfinders[.]com domain and then downloads the Word document. Once downloaded, the Word file attempts to trick the user into allowing macros, which would trigger code residing inside the file. An example can be seen below:

The lack of an attachment, often seen as a red flag by many users, may lure the user into a false sense of security. It is important to be careful about which links you click: on most modern web browsers, hovering your mouse pointer over the link will tell you where the link will lead to. If you do not know the address, then it is safer to avoid following the link.

When a user enables the macro, rather than download the application from the internet, the application it is instead extracted from inside the document and dropped in the hidden folder \AppData\Local. Before finishing, the script launches the command cmd.exe /c ping localhost -n 100 && C:\Users\admin\AppData\Local\Temp\6.pif. Ping is used to delay the attack to avoid automatic detection by waiting for approximately 100 seconds before running the dropped application 6.pif. 6.pif then reaches out to a C&C server before downloading new malware or running commands.

In addition to 6.pif, another file is dropped at C:\Users\admin\AppData\Local\Temp\6fsdFfa.com. This executable is a banker. Immediately after being run, it reaches out to api.ipify.org, which returns the victim’s public IP address. It then attempts to submit several unique values and the IP address in plain text to a list of infected servers. If the infected servers reply back indicating that they are available to receive the data, the program will  begin compiling all the usernames and passwords it can obtain and submit them to the server.

Other templates have been used by Hancitor in the past, including but not limited to: divorce papers, parking tickets, and FTC claims. As always, its important to have Microsoft Office macros disabled unless required by your job.

Who is affected?

Anyone with an email address can become a target of this spam campaign. While it does not use victims’ email addresses like Emotet does, Hancitor’s unique templates are meant to catch even savvy users off guard, regardless of whether the email is used for work or is a personal email.

Indicators of Compromise

1. cmd.exe /c ping localhost -n 100 && C:\Users\admin\AppData\Local\Temp\6.pif
2. sha256: 76b96c8d796cfcebff34d42e65e5a4ab2770fda42ea3c259097ee068660dfcc2                        
3. md5: 4d4e366b0813148f12fa1a2638c43f72         
4. C:\Users\admin\AppData\Local\Temp\6fsdFfa.com        
5. Felighevengna[.]com    
6. api.ipify.org       
7. verrestofred[.]ru             
8. 81.171.7.39        
9. 54.204.36.156    
10. 95.169.184.23                    
11. felighevengna.com/4/forum[.]php          
12. verrestofred.ru/4/forum[.]php 

What you can do

If you or someone you know is infected with Hancitor malware download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Hancitor from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How To Remove Hancitor

1. Restart the infected computer in safe mode without networking.
2. Search through the items in the Indicators of infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
3. Delete files and folders that have been confirmed as malware.
4. Repeat steps 1-3 on all other machines in the network.
5. Restore all infected computers to normal mode only after confirming the infection is removed.

Attack Vector: Is the way the attacker gains access to a target. The most common of these are malicious emails but many more exist and are discovered all the time.

BackDoor: Is a bypass allowing a Malicious user to connect to the target machine without permission from the target. These can be in the form of default username and passwords baked into the machine or a malicious download that opened a connection for the malicious user.

BlackHat: Is a term referring to a hacker who hacks for personal gain. The term refers to the old western movies where the good guy would wear a white hat and the bad guys would wear a Blackhat.

Banker: Refers to a malicious file that attempts to steal bank information from the user.

Command and Control: refers to code under a attackers control that listens for messages and replies with commands for the malware to execute. For example, a piece of malware infects a windows computer and detects that the user uses chrome but not firefox. It messages its C&C asking what it should do and the C&C decides that it should only run the Chrome information stealer command rather than execute all of its commands. After the malware sends the information it gathered back to the C&C server.

Domain squatting/cybersquatting: refers to holding or squatting on a misspelled or visually similar web address to trick victims into visiting and trusting the site.

Downloader: Refers to a software that Maliciously downloads another file from the internet and then executes it.

Dropper: Refers to a software that has a malicious file residing inside of it which is extracted and then ran.

Keylogger: A piece of software designed to record every key pressed on your keyboard, mostly used to steal your usernames and passwords.

Mal-Spam: (malicious-Spam) is a technique used by attackers where they send out emails pretending to be something you would expect to receive. This is a very common attack.

Phishing: fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity. Normally done over email or instant messaging.

Ransomware: A type of malware which encrypts your files, effectively holding your documents hostage until you pay to get them unlocked.

RootKit: A type of malware that abuses Operating systems trust of certain key often low level aspects so as to gain persistence and become harder to remove.

Supply Chain Attack: A attack Vector involving malicious attackers gaining access to trusted software and injecting there own code inside of it. Allowing them to bypass many security checks.