On 11th of June SANS Internet Storm Centre reported that Cryptowall 3.0 infections sources added recently a new catalyst: malicious spam campaigns. This piece of news follows the recent discovery of another spam campaign in April that was pushing CTB Locker ransomware from over two dozen e-mail addresses.
This campaign sends Cryptowall 3.0 via e-mail from Yahoo addresses. The attachments contain an HTML file called my_resume.svg which is included in a .zip archive called my_resume.zip.
Furthermore, it looks like the attackers started adding numbers to the file naming algorithm.
Here are some examples: resume4210.html or resume9647.html.
Brad Duncan SANS incident handler and Rackspace security researcher: “Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server. The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.”
Also, the researcher stated that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously: “at this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately. However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.”
He also added that a lot more samples of CryptoWall 3.0 “are visible in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers.” There were no other clues as to detect whether the victims that were unfortunate enough to get infected and paid the asked amount were actually sent the encryption keys by the attackers as to recover their data.
Moreover, it looks like Cryptowall is hosted on a number of different docs.google.com URLs a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.
The first Cryptowall 3.0 infections seen from Angler began on May 26. According to SANS, the Bitcoin address used in this process of infections coming from Angler is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoBi. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of June 11.
Duncan has a theory about this process: “There are any numbers of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically. I’m not sure on this one. It’s just my gut feeling, which could be wrong.”
Moreover, the researcher added that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed: “The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress. The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.”
Regarding the security of your computer please consider the following basic rules:
Good to know