Signed CryptoWall ransomware distributed via top websites

Pierluigi Paganini October 03, 2014

A digitally signed version of the popular CryptoWall ransomware is distributed via five Alexa top-ranked websites in a widespread malvertising campaign.

Security experts at Barracuda Labs have discovered a new variant of CryptoWall ransomware in the wild, the new strain of malware presents a valid digital signature and it is being delivered as part of a widespread malvertising campaign.

The threat actors behind the campaign exploited a Drive-by downloads tactic to deliver the CryptoWall ransomware, the experts discovered that the attack was delivered via the Zedo ad network and originated from the following five Alexa top-ranked domains:

hindustantimes[.]com
bollywoodhungama[.]com
one[.]co[.],il
codingforums[.]com
mawdoo[.]com

The researchers at Barracuda identified a specific subchain for every site’s sequence of events

<site index>
-> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js
–> hxxp://ss1[.]zedo[.]com/jsc/fst.js
—> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…>
—-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>

where “ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content,” according to the analysis published by the rexperts. The last step of the chain is xenon[.]asapparts[.]com, used by threat actors to redirect to one of several website hosting malicious exploit kit.

With the above scheme, the attackers serve an instance of CryptoWall ransomware on the victim’s system, below the details of the digital signature used for the malicious code. Digitally signing malware code allow attackers to improve evasion techniques.

 

CryptoWall Digital Signature

 

In a first time, the VirusTotal detection rate for this variant of CryptoWall ransomware was zero, afterwards it was improved with further analysis and in time I’m writing it is still low, just 24 on51, which makes this threat very insidious.

CryptoWall Detection Rate

 

Pierluigi Paganini

(Security Affairs – CryptoWall ransomware, malware)



you might also like

leave a comment