Security experts at Barracuda Labs have discovered a new variant of CryptoWall ransomware in the wild, the new strain of malware presents a valid digital signature and it is being delivered as part of a widespread malvertising campaign.
The threat actors behind the campaign exploited a Drive-by downloads tactic to deliver the CryptoWall ransomware, the experts discovered that the attack was delivered via the Zedo ad network and originated from the following five Alexa top-ranked domains:
hindustantimes[.]com bollywoodhungama[.]com one[.]co[.],il codingforums[.]com mawdoo[.]comThe researchers at Barracuda identified a specific subchain for every site’s sequence of events
<site index> -> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js –> hxxp://ss1[.]zedo[.]com/jsc/fst.js —> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…> —-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>
where “ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content,” according to the analysis published by the rexperts. The last step of the chain is xenon[.]asapparts[.]com, used by threat actors to redirect to one of several website hosting malicious exploit kit.
With the above scheme, the attackers serve an instance of CryptoWall ransomware on the victim’s system, below the details of the digital signature used for the malicious code. Digitally signing malware code allow attackers to improve evasion techniques.
In a first time, the VirusTotal detection rate for this variant of CryptoWall ransomware was zero, afterwards it was improved with further analysis and in time I’m writing it is still low, just 24 on51, which makes this threat very insidious.
(Security Affairs – CryptoWall ransomware, malware)