As expected, it didn’t take long for one of the most popular exploit kits, Angler, to start spreading the latest iteration of Cryptowall ransomware.
A drive-by campaign that uses a one-two punch to drop Cryptowall 4.0 has been observed in the wild this week, according to researchers at Heimdal Security.
First, the password stealing malware Pony is dropped onto a system. After forwarding any sensitive site usernames and passwords along to command and control servers, the malware injects malicious script on those websites.
“The purpose of this action is to abuse legitimate access credentials to web servers and CMS [content management systems] used by websites, and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution,” Andra Zaharia of Heimdal wrote Wednesday.
From there, the victim is redirected from the legitimate site to a compromised site that drops Angler. Assuming it’s able to find a vulnerability on the system, Angler then exploits it and “force-feeds” the system Cryptowall 4.0.
The latest version of Cryptowall has barely been on the scene a month. The malware encrypts data on victims machines, but also filenames, something that makes it much trickier to recover them without paying the ransom.
Zaharia claims Heimdal has blocked more than 200 domains this week alone – many of which stem from a fairly stealthy bulletproof host in Ukraine – that attackers are using to propagate the ransomware.
Last week, a handler with the SANS Internet Storm Center noticed an attacker peddling the ransomware through the Nuclear Exploit Kit, the first time. the ransomware was moved via one of these tools.
The handler, Brad Duncan, who also works as a security engineer for Rackspace, said he didn’t expect Nuclear to be the only exploit kit to distribute Cryptowall 4.0 for long. It turns out attackers only needed an extra week to use Angler to redirect would-be victims to the ransomware.