I wrote this as Nocturnal Stealer. But, with the help of Fumik0_, I understood that this is Vidar. Thank you Fumik0_!!
Ref: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
@malware_traffic posted about New GlobeImposter sample. And Bleeping Computer posted an article as well.
https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/2018-11-09 - Anyone want a sample of #GlobeImposter #ransomware? - It's still available at: hxxp://po0o0o0o[.]com/kr2.exe pic.twitter.com/9F8Ldt9BIg— Brad (@malware_traffic) 2018年11月9日
We also encountered new GlobeImposter with HookAds Campaign-> Fallout Exploit Kit in Japan.
The first malware is a loader.
The following points are very similar to Nocturnal Stealer, but this is Vidar.
- make those files
- Contents of infomation.txt
Other gathering items.
Nocturnal Stealer downloaded the malware of the next step.
GlobeImposter is almost the same type as before.
Encrypted file extension changed to ".pptx".
Ransom Note [READ_ME.txt]
- Fallout EK pushes Nocturnal Stealer
- The information stealing by Nocturnal Stealer has changed.
- Nocturnal Stealer downloads New GlobeImposter
- There were change in the extension, intimidation sentence, payment page.