Cryptowall: New Version of Ransomware

Monday, March 9, 2015 @ 02:03 PM gHale


New versions of the Cryptowall ransomware hitting email inboxes may appear innocuous, but it can encrypt files on systems demanding money from victims to unlock the computer.

Cryptowall is an advanced version of Cryptolocker, a file-encrypting ransomware.

RELATED STORIES
IL Police Meet Ransomware Demands
DDoS Attack Costs on Rise
Security a Differentiator for Users
Security: A Presidential Mandate

An email blast went out in February, targeting users from around the world, including the U.S., UK, the Netherlands, Denmark, Sweden, Slovakia and Australia, said researchers at Bitdefender Labs. Following analysis, the spam servers appear to be in Vietnam, India, Australia, U.S., Romania and Spain.

“Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments,” said Catalin Cosoi, chief security strategist at Bitdefender.

Chm is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM.

“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed,” Cosoi said.

HTML files end up compressed and delivered as a binary file with the .chm extension. This format consists of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index and full text searching. The fake incoming fax report email claims to be from a machine in the users’ domain. Bitdefender Labs researchers think the aim of this approach is to target employees from different organizations in order to infiltrate company networks.

Once the content of the .chm archive ends up accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.



Leave a Reply

You must be logged in to post a comment.