Security Alert: Antivirus Detection Low on New CryptoWall 3.0 Infections
Could you spot the cyber threat in this email? Because your antivirus is not enough
It’s only been 2 months since the latest CryptoWall 3.0 spam campaign, which used Google Drive in a drive-by campaign to abuse vulnerabilities in various popular third-party products and encrypt the victim’s data, holding it hostage for ransom.
Now the cyber criminal group behind it is doing it again: a new spam campaign has been released last night, coming from arbitrary email addresses. The malicious payload is delivered via two email attachments.
The malicious email writes as follows:
From: [spoofed / fake return address]
New Fax: ID 37217
If the attached document is opened by an unsuspecting recipient, and macros in the document is activated, the malicious payload will connect to a download server from which it will pick up the first phase of a CryptoWall 3.0 infection via http://46.30.43 [.] 146 /666.jpg (sanitized by Heimdal Security).
This component is decrypted in memory, leaving no trace and going undetected by tradition antivirus solutions. It then produces a long list of compromised domains. Here is a small sample of these domains (sanitized by Heimdal Security):
http://eshraqatee [.] com / wp-includes / css / ap1.php
http://essayhub [.] org / css / fonts / ap5.php
http://essayspro [.] com / css / fonts / ap4.php
http://eugeniobonato [.] com / wp-content / uploads / js_composer / ap3.php
http://europe-academy [.] net / wp-admin / user / ap2.php
http://evolvingcareers [.] co.uk/images/prettyPhoto/light_square/ap1.php
http://ewineco [.] com / wp-admin / network / ap5.php
http://externalbatterycase [.] com / wp-admin / js / ap4.php
http://fabconcepts [.] net / wp-content / plugins / indonez-shortcodes / js / ap3.php
http://fan-out [.] com / wp-includes / fonts / ap5.php
http://fenonsilver [.] com / controller / catalog / ap2.php
http://fiftyschmifty [.] com / ap1.php
http://fiiwin [.] com / wp-admin / maint / ap4.php
http://focusmusicktv [.] com / ap3.php
Heimdal has already blocked more than 60 domains which are related to this campaign.
We have dedicated an in–depth article to CryptoWall and its subsequent strains, which you may find useful, should you want to explore this subject further.
Just like other CryptoWall 3.0 variants and other second generation malware, this strain uses deceiving techniques to keep below the radar, having a low antivirus detection rate: 6/56 on VirusTotal.
Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.
Proceed with caution: Ransomware threats ahead!
Because most home users often rely exclusively on their antivirus product to protect them from second generation malware, such as CryptoWall 3.0, we have published this week a material that highlights the tactics that malware creators use in order to make their infections and infection vectors capable of evading detection. These 10 Reasons Why Your Traditional Antivirus Can’t Detect Second Generation Malware may help you better understand how malware infections happen and, consequently, enable you to get better protection for your PC.
It’s also important to mention that elderly persons or other vulnerable categories may become easy targets in spam campaigns such as this one, because they are often unable to identify a spam or a phishing email that might contain infected attachments. These vulnerable categories are also more prone to social engineering techniques, which cyber criminals seldom use to trick the victims into performing certain actions or disclosing confidential information.
Also, keep in mind that the main targeted geographical regions are selected based on revenue, because cyber criminals want to achieve maximum effectiveness with this business:
These ransomware campaigns mainly target victims in relatively rich countries, because users in those countries are the most willing to pay the ransoms, according to statements made on underground forums that host discussions on the effectiveness of ransomware campaigns.
Source: McAfee Labs Threats Report 2015
Companies are not safe form this threat either, especially considering that Chief Information Security Officers around the world are really starting to feel worn out by these persistent and frequent ransomware threats. A CryptoWall infection could be especially dangerous since time to detection can reach up to two days, according to the Cisco Midyear Security Report 2015.
The trends related to ransomware do not paint an optimistic picture. According to the aforementioned McAfee Labs Threats Report 2015:
McAfee Labs has seen a 165% rise in ransomware in Q1 [of 2015], especially with the family CTB-Locker, along with new versions of CryptoWall, TorrentLocker, and spikes of BandarChor.
Moreover, more ransomware strains are surfacing in attacks than last year or ever before:
And, as cyber security researchers constantly warn, ransomware such as CryptoWall 3.0 is dangerous and effective in attaining its malicious purposes due to its capacity to morph and avoid detection by traditional antivirus products.
From the original CryptoWall to the latest release, Version 3, many functions have changed. The malware now exclusively uses Tor for payment, and it communicates in different ways: via hardcoded and obfuscated control server URLs or a peer-to-peer network based on the I2P protocol. Many other ransomware families have used the name CryptoLocker to mislead victims and the security industry. CryptoWall did so as well, but after a time began to use its own name.
Source: McAfee Labs Threats Report 2015
Morten Kjaersgaard, Heimdal Security CEO, recommends using extreme caution:
The situation around Cryptoware is becoming very serious. We see new campaigns rolling out almost daily and end users need to be very alert and use a lot of precaution. Campaigns are delivered in difficult to spot spam campaigns, but also from legitimate websites, who serve hackers’ purposes of delivering malware.
The adversary of the every day user is skilled, focused and commercially oriented. Users will need to be in a higher state of awareness and have increased focus on the security aspects of their PC.
But know this: you are not defenseless against ransomware threats. There are security safeguards you can take in order to protect yourself from ransomware attacks, such as CryptoWall 3.0 spam campaigns, and we put them together in a PDF you can download and keep for future reference: