Ransomware Teams with Spyware

The latest version of CryptoWall comes with a piece of spyware that ensures attackers still get an opportunity to make money if the victim doesn’t fall for the ransom demand.

The spyware is Fareit, known for its ability to find and take credentials from programs ranging from email clients, web browsers, FTP clients and digital currency wallets.

RELATED STORIES
Free Code Used for Ransomware
Cryptowall: New Version of Ransomware
IL Police Meet Ransomware Demands
DDoS Attack Costs on Rise

Users in Australia and New Zealand are the areas hit the most with the new attack, said researchers at Trend Micro.

North America comes in third where CryptoWall-Fareit combo ended up discovered in 24.18 percent of the cases, and those in Europe, with 14.27 percent infections. Other regions impacted are the Middle East/Africa, Asia and South America.

The dropper for the two pieces of malware comes as an archived JavaScript (JS) attached to an email claiming to deliver a resume, said Trend Micro researchers.

They use a JavaScript file because some scanners do not check this type of data.

The analysis of this file revealed it connects to two command and control (C&C) servers to download two apparent image files in JPG format. However, this is only a ploy to bypass intrusion detection systems (IDS).

Further analysis into the JavaScript showed the two files are actually executables for CryptoWall and Fareit, which run immediately after they end up downloaded.

While CryptoWall encrypts the targeted file types (documents, databases, emails, images, audio, video, and source codes) in the background, Fareit runs its sensitive info snatching routine and sends the data to the C&C, said Anthony Joe Melgarejo, threat response engineer at Trend Micro.

The ransomware locks the items with a strong RSA-2048 key and changes their extension to a random one. In the affected folders, it also drops instructions on how to make the ransom payment of about $500, which is in bitcoin currency and carried out via a payment website in Tor anonymity network.