Ransomware Spreads Via Exploit Kit

Tuesday, December 1, 2015 @ 02:12 PM gHale

CryptoWall 4.0 is going out in packages like the Nuclear exploit kit (EK) to hit systems with the heavy duty ransomware, researchers said.

The “BizCN gate” attack started sending CryptoWall 4.0 payloads from the Nuclear EK Nov. 20, said Rackspace security researcher Brad Duncan in a blog post published by the SANS Internet Storm Center.

Attack Tricks Security, Continues Assault
Focused Attack via Cookies
Prison Call Hack an Inside Job
Unsupported ICS: Not an Easy Upgrade

The BizCN gate attack distributes malware via the Nuclear EK, but started using CryptoWall only on Nov. 19, when the ransomware in the payload was at version 3.0.

CryptoWall 4.0 first came to light in early November, less than a year after its predecessor made a debut on the malware scene. The updated threat encrypts not only the content of the files on infected machines, but also file names, which prevents victims from recognizing them, while also featuring an updated ransom note, which claims the CryptoWall Project is not malicious.

CryptoWall 4.0 includes advanced malware dropper mechanisms and improved communication capabilities, such as a modified protocol that enables it to avoid detection, researchers said. Similar to previous versions, it uses the Decrypt Service website for payments, and asks victims to pay 1.83 Bitcoin, about $700, for the private key to decrypt their files.

Until now, CryptoWall 4.0 has been spreading through spam emails, and this is the first time anyone saw it in an exploit kit.

The BizCN gate attack currently spreading the ransomware via Nuclear EK switched IP addresses from the block (Germany – TK Rustelekom LLC) to (Ukraine – PE Fesenko Igor Mikolayovich), Duncan said. He also said injected script pointing to the BizCN-registered gate can end up observed on the pages of compromised websites.

URL patterns in HTTP GET requests are distinctive, and HTTP GET requests to the gate domain return javascript sent gzip-compressed. By analyzing the payload, they were able to find traces of Nuclear EK, and Duncan said the EK exploits a flash vulnerability on the website to successfully infect Windows hosts.

The researcher also discovered the version of CryptoWall sent by the BizCN gate differs from other instances of the malware and it looks like an NSIS installer, placing custom artifacts in the infected user’s AppData\Local\Temp directory.