Ransomware Spreads Via Exploit Kit
Tuesday, December 1, 2015 @ 02:12 PM gHale
CryptoWall 4.0 is going out in packages like the Nuclear exploit kit (EK) to hit systems with the heavy duty ransomware, researchers said.
The “BizCN gate” attack started sending CryptoWall 4.0 payloads from the Nuclear EK Nov. 20, said Rackspace security researcher Brad Duncan in a blog post published by the SANS Internet Storm Center.
The BizCN gate attack distributes malware via the Nuclear EK, but started using CryptoWall only on Nov. 19, when the ransomware in the payload was at version 3.0.
CryptoWall 4.0 first came to light in early November, less than a year after its predecessor made a debut on the malware scene. The updated threat encrypts not only the content of the files on infected machines, but also file names, which prevents victims from recognizing them, while also featuring an updated ransom note, which claims the CryptoWall Project is not malicious.
CryptoWall 4.0 includes advanced malware dropper mechanisms and improved communication capabilities, such as a modified protocol that enables it to avoid detection, researchers said. Similar to previous versions, it uses the Decrypt Service website for payments, and asks victims to pay 1.83 Bitcoin, about $700, for the private key to decrypt their files.
Until now, CryptoWall 4.0 has been spreading through spam emails, and this is the first time anyone saw it in an exploit kit.
The BizCN gate attack currently spreading the ransomware via Nuclear EK switched IP addresses from the 188.8.131.52/16 block (Germany – TK Rustelekom LLC) to 184.108.40.206/24 (Ukraine – PE Fesenko Igor Mikolayovich), Duncan said. He also said injected script pointing to the BizCN-registered gate can end up observed on the pages of compromised websites.
The researcher also discovered the version of CryptoWall sent by the BizCN gate differs from other instances of the malware and it looks like an NSIS installer, placing custom artifacts in the infected user’s AppData\Local\Temp directory.