Security experts at Barracuda Labs have discovered a new variant of CryptoWall ransomware in the wild, the new strain of malware presents a valid digital signature and it is being delivered as part of a widespread malvertising campaign.
The threat actors behind the campaign exploited a Drive-by downloads tactic to deliver the CryptoWall ransomware, the experts discovered that the attack was delivered via the Zedo ad network and originated from the following five Alexa top-ranked domains:hindustantimes[.]com bollywoodhungama[.]com one[.]co[.],il codingforums[.]com mawdoo[.]com
The researchers at Barracuda identified a specific subchain for every site’s sequence of events
<site index> -> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js –> hxxp://ss1[.]zedo[.]com/jsc/fst.js —> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…> —-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>
With the above scheme, the attackers serve an instance of CryptoWall ransomware on the victim’s system, below the details of the digital signature used for the malicious code. Digitally signing malware code allow attackers to improve evasion techniques.
In a first time, the VirusTotal detection rate for this variant of CryptoWall ransomware was zero, afterwards it was improved with further analysis and in time I’m writing it is still low, just 24 on51, which makes this threat very insidious.
(Security Affairs – CryptoWall ransomware, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.