2018年11月13日火曜日

HookAds->FalloutEK pushes Vidar, And new GlobeImposter

Update: 2019-01-14
I wrote this as Nocturnal Stealer. But, with the help of Fumik0_, I understood that this is Vidar. Thank you Fumik0_!!

Ref: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)

---

@malware_traffic posted about New GlobeImposter sample. And Bleeping Computer posted an article as well.
https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/

We also encountered new GlobeImposter with HookAds Campaign-> Fallout Exploit Kit in Japan.

https://app.any.run/tasks/7bbfdafe-4fee-4f26-8c3b-01d975868c02

Vidar


The first malware is a loader.
The following points are very similar to Nocturnal Stealer, but this is Vidar.

  • make those files
    • C:\ProgramData\BEJ9QK4EIV6EK30NDC91\files\passwords.txt
    • C:\ProgramData\BEJ9QK4EIV6EK30NDC91\files\infomation.txt
  • Contents of infomation.txt
These are similar to the information on the Proofpoint's blog.

Other gathering items.

GlobeImposter

Nocturnal Stealer downloaded the malware of the next step.
GlobeImposter is almost the same type as before.
Encrypted file extension changed to ".pptx".



Ransom Note [READ_ME.txt]



Payment Page

Conclusion

  • Fallout EK pushes Nocturnal Stealer
  • The information stealing by Nocturnal Stealer has changed.
  • Nocturnal Stealer downloads New GlobeImposter 
  • There were change in the extension, intimidation sentence, payment page.

0 件のコメント:

コメントを投稿