Signed Cryptowall distributed via drive-by download advertising campaign

The Dell Sonicwall Threats Research team observed reports of a Cryptowall bot family named GAV: Cryptowall.I actively spreading in the wild. This is the new Variant of Popular CryptoLocker Ransomware which is digitally signed and distributed via advertising campaign on several top ranked Alexa Web sites.

The Malware typically is spread through a couple of vectors such as exploit kits and spam campaigns that include malicious attachments. This most recent campaign involves a series of popular sites that are serving malicious ads that infect machines with CryptoWall.

Infection Cycle:

Md5: ba92a58928b82ba662e7abb4ff4014a9

The Trojan adds the following files to the system:

C:58324545832454.exe [Executable file]

%Appdata%5832454.exe [Executable file]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun5832454

C:Documents and SettingsAdministratorApplication Data5832454.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionRun583245

C:58324545832454.exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData

C:Documents and SettingsAdministratorApplication Data

The Trojan it has SeDebugPrivilege Enabled for Thread injection and uses Injected Svchost.exe to set %Appdata% value in the Windows Registry.

The CryptoWall is signed by DigiCert Timestamp Responder, the signature show it was signed on Sunday as you can see on following:

Hopefully the issuer revoked the Certificate after malware was identified on Sunday.

After malware encrypted all your personal documents and files its shows you following web page:

Command and Control (C&C) Traffic

CryptoWall has the C&C communication over port 80. Uses requests to statically defined IP/Domains are made on a regular basis. These requests such as the following:

Drive-by Download advertising campaign

The Malware uses Drive-by downloads were detected as coming from following websites:

• hindustantimes[.]com
• bollywoodhungama[.]com
• one[.]co[.]il
• codingforums[.]com
• mawdoo[.]com

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• Cryptowall.I

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.