A recent investigation by Trend Micro indicates that the threat groups operating Redline and Vidar have started using the same methods to deliver ransomware as they do to distribute the info-stealers.
In one such specific case, victims initially received a piece of malware that stole information, and it was signed with Extended Validation (EV) code signing certificates. However, after some time, they also started getting ransomware through the same method.
In one such specific case, victims initially received a piece of malware that stole information, and it was signed with Extended Validation (EV) code signing certificates. However, after some time, they also started getting ransomware through the same method.
Diving into details
Between July and August, more than 30 samples signed with EV code certificates were found. These samples were linked to a type of info-stealing malware called TrojanSpy.Win32.VIDAR.SMA.
Each of these samples looked different from the others, making it harder to detect.
When it comes to RedLine and Vidar, researchers suspect the person who signed these EV certificates probably either owns the physical security token or has access to the computer that the security token is connected to.
At first, the victim received an info-stealer from multiple campaigns starting around July 10 this year. Subsequently, on August 9, they got hit with a ransomware attack.
The ransomware was ultimately deployed after they were deceived into downloading and opening a fake TripAdvisor complaint email attachment.
TTPs used
RedLine and Vidar operators employ well-known tactics to trick victims into running malicious files:
They craft spear-phishing emails with compelling language that urges recipients to take immediate action, often revolving around health and hotel-related matters.
They utilize double file extensions to deceive users. For instance, they make files appear as if they are PDFs or JPEGs when, in reality, they are EXE files that trigger the infection when opened.
In addition to the above, Redline and Vidar deploy LNK files that contain instructions to execute the malicious file, evading detection.
The bottom line
It's crucial to configure and update defense systems that block threats before they reach users. Experts advise organizations to adopt a proactive approach to thwart attacks early in the threat cycle. Besides, users must avoid downloading files from untrusted sources and should have multi-layered security systems for their devices and networks.
