Security experts at Barracuda Labs have discovered a new variant of CryptoWall ransomware in the wild, the new strain of malware presents a valid digital signature and it is being delivered as part of a widespread malvertising campaign.
The threat actors behind the campaign exploited a Drive-by downloads tactic to deliver the CryptoWall ransomware, the experts discovered that the attack was delivered via the Zedo ad network and originated from the following five Alexa top-ranked domains:hindustantimes[.]com bollywoodhungama[.]com one[.]co[.],il codingforums[.]com mawdoo[.]com
The researchers at Barracuda identified a specific subchain for every site’s sequence of events
<site index> -> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js –> hxxp://ss1[.]zedo[.]com/jsc/fst.js —> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…> —-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>
With the above scheme, the attackers serve an instance of CryptoWall ransomware on the victim’s system, below the details of the digital signature used for the malicious code. Digitally signing malware code allow attackers to improve evasion techniques.
In a first time, the VirusTotal detection rate for this variant of CryptoWall ransomware was zero, afterwards it was improved with further analysis and in time I’m writing it is still low, just 24 on51, which makes this threat very insidious.
(Security Affairs – CryptoWall ransomware, malware)