Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

New wave of Cryptowall ransomware attacks

BitDefender UK : 10 March, 2015  (Technical Article)
Bitdefender uncovers new distribution mechanism for the Cryptowall ransomware through spam campaign
New wave of Cryptowall ransomware attacks

Bitdefender has warned that a new spam wave has hit hundreds of mailboxes with malicious .chm attachments to spread the infamous Cryptowall ransomware.

Cryptowall is an advanced version of Cryptolocker, a file-encrypting ransomware known for disguising its viral payload as a non-threatening application or file. Its payload encrypts the files of infected computers in an effort to extract money for the decryption key.

Malware researchers from Bitdefender Labs found that the email blast, which took place in February, targeted users from around the world, including the UK, the US, the Netherlands, Denmark, Sweden, Slovakia and Australia. Following analysis, the spam servers appear to be in Vietnam, India, Australia, US, Romania and Spain.

“Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments,” states Catalin Cosoi, Chief Security Strategist at Bitdefender.

Catalin Cosoi adds, “Chm is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. These CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. It makes perfect sense: the less user interaction, the greater the chances of infection.”

HTML files are compressed and delivered as a binary file with the .chm extension. This format is made of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index and full text searching. The fake incoming fax report email claims to be from a machine in the users’ domain. Bitdefender Labs believes the aim of this approach is to target employees from different organisations in order to infiltrate company networks.

Once the content of the .chm archive is accessed, the malicious code downloads from this location http://*********/putty.exe, saves itself as %temp%natmasla2.exe and executes the malware. A command prompt window opens during the process.

Ransomware is one of the most challenging breeds of malware, especially for security companies, which are forced to create increasingly aggressive heuristics to make sure internal data remains private.

Bitdefender detects the malware as Trojan.GenericKD.2170937, and its researchers have made a list of recommendations to prevent Cryptowall infections, including keeping a copy of the data on external drives. To add extra protection, Bitdefender has also developed the Cryptowall Immuniser tool, allowing users to block any file encryption attempt before it happens. Bitdefender recommends users keep their antivirus solution always on and use this tool as an additional layer of protection.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo