Crooks use seemingly harmless help files to serve CryptoWall ransomware

Experts at Bitdefender revealed that crooks used seemingly harmless help files to distribute a variant of the popular ransomware CryptoWall.

The cybercrime never ceases to surprise, every time we discuss a new and effective technique to deceive victims and evade detection mechanisms. Security experts at Bitdefender have discovered a new spam campaign that targeted a few hundred users. Bad actors sent email messages containing a bogus “Incoming Fax Report” that carried a help file with the .chm (compiled HTML) extension.

When victims opened the file, they were presented with a help window, meanwhile a strain of malware in background downloaded the popular CryptoWall ransomware and executed it. Bitdefender detected the ransomware variant as Trojan.GenericKD.217093.

The spam campaign targeted users worldwide, including in the United States, Europe and Australia.

The CryptoWall ransomware is one of the most popular malicious code used in the cybercriminal ecosystem for extortion. Ransomware is a specific family of malware that lock victims’ files and requests the payment of a fee to unlock them. CryptoWall uses public-key cryptography to encrypt files with certain extensions.

According the experts of Dell SecureWorks, in August 2014 the number of CryptoWall infections in the previous six months was 600,000, producing gains for $1 million in ransoms, the victims paid a fee ranging from $100 to $500.

The last variant of CryptoWall, CryptoWall 3.0, uses I2P to hide its command and control infrastructure. The threat actors behind the last campaign used servers located in Vietnam, India, the US, Australia, Spain and Romania to send out the spam emails.

Bitdefender provides the CryptoWall Vaccine, to protect systems against the popular ransomware by blocking file encryption attempts.

“We have now developed a vaccine that allows users to immunize their computers and block any file encryption attempts, even if they become infected with CryptoWall, one of the most powerful clones of the Cryptolocker malware.” reports Bitdefender.

In the specific campaign, the attackers used seemingly harmless help files (CHM files) that can run JavaScript code.

“These CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM,” Bitdefender said. “Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. And it makes perfect sense: the less user interaction, the greater the chances of infection.”

Security experts believe that the campaign was mainly targeted for corporate users because the nature of the bogus document used by the spam messages, a fake fax email.

Pierluigi Paganini

(Security Affairs –  CryptoWall, ransomware)