The SANS Internet Storm Center is reporting that the Angler exploit kit (EK) serving up Cryptowall 3.0 ransomware has been evolving rapidly by altering its URL patterns on almost daily basis.
“The changes accumulate, and you might not recognize current traffic generated by Angler. After two weeks of vacation, I almost didn’t recognize it,” wrote Brad Duncan.
“Angler pushes different payloads, but we’re still seeing a lot of CryptoWall 3.0 from this EK. We first noticed CryptoWall 3.0 from Angler near the end of May 2015.”
The first week of the current malware spam campaign had an attachment namedmy_resume.zip that contained an HTML file namedmy_resume.svg which downloaded the Cryptowall 3.0 ransomware from a compromised server, but the attackers have made some adjustments.
“The extracted HTML file names use random numbers, with names likeresume4210.html orresume9647.html. Furthermore, the CryptoWall is now hosted on various docs.google.com URLs. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan said last month.
“The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server. Examining the traffic in Wireshark, you’ll find see a chain of events leading from the compromised server to docs.google.com.”
The team also detected the Angler exploit kit pushing CryptoWall 3.0 on 2015-05-26, the first time they had seen version 3.0 of CryptoWall used by Angler.
“In each case I’ve documented, the bitcoin address for the ransom payment was 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB. Angler EK is still being used by other groups to send different malware payloads. However, the appearance of CryptoWall 3.0 in Angler since 2015-06-26 using the same bitcoin address indicates this is a separate campaign by a specific actor,” Duncan said.
“The timing of these two campaigns, along with their consistent use of the same bitcoin addresses for the ransom payment, suggest they are related. They may have been initiated by the same actor. This is a significant trend in our current threat landscape.”
As recently as March 2015, researchers saw CryptoWall 3.0 being propagated through spam emails that came with a JavaScript attachment which posed as a resume inside an archive file.
The .JS file would connect to two URLs to download .JPG files, an old technique designed to bypass poorly designed intrusion detection systems (IDS) by disguising the malware as an image file.
The .JS file would execute the one.jpg and two.jpg files after a successful download, which were detected as TROJ_CRYPWAL.YOI and TSPY_FAREIT.YOI, respectively.
The Internet Crime Complaint Center (IC3) – a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) – reported recently that 992 U.S. victims of the Cryptowall ransomware campaign have incurred losses in excess of $18 million between April of 2014 and June of 2015.
“Recent IC3 reporting identifies CryptoWall as the most current and significant ransomware threat targeting U.S. individuals and businesses. CryptoWall and its variants have been used actively to target U.S. victims since April 2014,” the IC3 advisory stated.
“The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.”
Source : http://darkmatters.norsecorp.com/2015/07/06/angler-exploit-kits-cryptowall-3-0-campaign-highly-evasive/