Our team at Heimdal Security has recently collected and analyzed a new drive-by campaign abusing vulnerabilities in various popular third-party products.

In this campaign, the payload is delivered through the popular Google Drive platform. In the next stage, the payload downloads and runs CryptoWall from a long list of compromised webpages.


How the new CryptoWall 3.0 campaign uses Google Drive as an infection vector

On these compromised web pages, several malicious scripts force the user to a narrow selection of dedicated domains used in the campaign (more than 80 active domains). These domains makes use of a commercial exploit kit known as RIG, which will try to abuse vulnerabilities in JavaJRE, Adobe Reader, IE and Flash Player.

If the victim’s system is not fully updated with the latest version of the software mentioned above, the RIG exploit kit will drop a file that contacts a series of predefined Google drive URLs (sanitized by Heimdal Security): [.] com / uc? export = download & id = 0B0VtiEw2UiuBQm1XcVZ3SXhwdlk [.] com / uc? export = download & id = 0B0VtiEw2UiuBQnVhbFR0NXhSa2s [.] com / uc? export = download & id = 0B0VtiEw2UiuBR2ZvZkJRWHprNk0 [.] com / uc? export = download & id = 0B0VtiEw2UiuBRE1KZGNUYkpWb1U [.] com / uc? export = download & id = 0B0VtiEw2UiuBSFNURHVhal8zV2s [.] com / uc? export = download & id = 0B0VtiEw2UiuBUFh4X20xZU5sclE [.] com / uc? export = download & id = 0B0VtiEw2UiuBVDJ3d1FEbFdRSEk [.] com / uc? export = download & id = 0B0VtiEw2UiuBc2NoVFgtNnlhNk0 [.] com / uc? export = download & id = 0B0VtiEw2UiuBcHUxd0toanNBNVE [.] com / uc? export = download & id = 0B0VtiEw2UiuBdFZzSUxad2I2aWM

The Google drive URLs dropper ( -> my_resume_pdf_id-4535-4553-293.scr) is executed, and then it connects to a series of compromised web pages, where the main component “Cryptowall3” is downloaded and run.

Here is a small selection of the web pages that are used to deliver Cryptowall3 (sanitized by Heimdal Security):

http://furnishingsuk [.] com / wp-includes / certificates / e2.php
http://getstarstar [.] com / wp-content / plugins / e5.php
http://golivedj [.] net / wp-includes / js / TinyMCE / plugins / e2.php
http://henleybond [.] com / wp-includes / js / TinyMCE / plugins / e1.php
http://izzhoga [.] su / css / e5.php
http://mccollougharchitecture [.] com / wp-content / uploads / 2014/04 / e2.php

A total of 45 compromised websites are used as delivery platforms.

When the file is unarchived, it provides the user with a PDF file called “my_resume_pdf_id-4523-4535-293”. So when Cryptowall3 has settled, it first creates a mutex – “ShimCacheMutex” – after which the code injector in “dwwin.exe” spawns a command “C: \ WINDOWS \ system32 \ drwtsn32 -p 192 -e 168 g.”

In the last phase of the infection, CryptoWall encrypts a variety of data files on the local hard drive and available network drives with a RSA2048 key. The communication then takes place via TOR gateways.

Here are 2 screenshots of the indications that the user receives once his/her data has been encrypted:

cryptowall google drive security alert (1)

cryptowall google drive security alert (2)

Antivirus detection is low and this campaign, which is deftly released and goes undetected past most endpoint security solutions because of its delivery method.

Heimdal will ensure that these super critical third party programs (JavaJRE, Adobe Reader, IE and Flash Player) are continuously updated at all times, shielding users from Zero Day threats and advanced malware attacks. All the 45 websites used as ransomware delivery platforms have already been blocked in the Heimdal Secure DNS.


CryptoWall 3.0 revisited

CryptoWall is a highly advanced type of malware, a variant of last year’s CryptoLocker, which was taken down by a number of security companies and state agencies across the world during Operation Tovar, which Heimdal Security was also a part of.

However, CryptoWall 3.0 appeared 6 months ago, at the beginning of 2015, and has been dispersed in at least 3 strong campaigns since.

At least two factors make CryptoWall 3.0 especially dangerous:

  • Its polymorphic nature
  • The advanced and extensive infrastructure that can evade detection and take-down attempts.

We have dedicated an entire article to CryptoWall, which we recommend reading to understand its specific methods and the consequences it brings.


The RIG exploit kit

RIG was the most prevalent exploit kit used in 2014 by cyber criminals, accounting for 25% of all exploit kits used, according to the 2015 Trustwave Global Security Report.

most prevalent exploit kits in 2014

The low price for use of the RIG exploit kit likely contributed to its popularity in 2014. RIG rental sent criminals back only $150 a week compared to, for example, $750 a week for Neutrino (last on the list in terms of prevalence.


This is what the RIG infrastructure looks like as depicted in the 2015 Trustwave Global Security Report:

RIG infrastructure


How drive-by malware campaigns work

In the case of a drive-by malware attack, a user that is browsing a compromised website is redirected to another website, controlled by cyber criminals.

The unique purpose of this last website is to attempt to exploit the software vulnerabilities in the user’s system in order to install malware.

Drive-by attacks can also happen while viewing an email or if the user clicks on a deceptive pop-up window on a website.


How to protect yourself from CryptoWall 3.0 and the RIG exploit kit

  • Be very careful about which online destionation you access, whether they’re websites or popular services such as Google Drive, which is being used in this particular CryptoWall campaign.
  • Never click on links in e-mails received from people you don’t know. This is one of the preferred delivery methods for ransomware and malware of all kinds.
  • Always keep a backup of your most important data, both in the cloud and on a physical device, but not on the device you currently use. If a CryptoWall is successful, then you would lose access to all your data. Check out the backup guide we put together for you.
  • Check if your security solution is able to detect and block CryptoWall. Most antivirus solutions can’t spot this type of ransomware and you can be vulnerable. We recommend using next-generation anti-hacking tools on top of your AV product for enhanced protection.
  • Since most infections are usually delivered through your browser, upgrade your security settings for secure online browsing.
  • Always keep your OS and software up to date! Adobe Flash has had two major security vulnerabilities in the past 2 weeks. And they’re not alone. These security holes in software are easily exploited by experienced cyber criminals such as the ones behind this CryptoWall campaign, which is why we urge you to always install the latest security patches!
  • Learn more about ransomware and take these 9 steps to protect your data against it.

Ransomware Explained. What It Is and How It Works

Here Are the Free Ransomware Decryption Tools You Need to Use

The Anti-Ransomware Protection Plan You Need to Follow Today


Leave a Reply

Your email address will not be published. Required fields are marked *