Introduction
Since Monday2015-05-25(a bitmore than 2 weeks ago), weve seen a significantamount of CryptoWall 3.0 ransomware from">) and theAngler exploit kit (EK).
A malspam campaign pushing CryptoWall 3.0 started as early as Monday 2015-05-25, but it hasincreased significantly since Monday 2015-06-08. The CryptoWall3.0push from Angler EK appears to have started around the same time. Both campaigns (malspam and Angler EK) were active as recently as Wednesday 2015-06-10.
The timing of these campaigns indicatesthey mightbe related and possibly initiated by" />
Shown above: Path 1 shows theinfection chain">Thiscampaign has been using Yahoo email addresses to send the malspam. So far, allthe attachments have been named my_resume.zip. The firstweek of thiscampaign, material extracted from the zip attachments were all HTML files named my_resume.svg. At that time,the CryptoWall 3.0 ransomwarewas downloadedfroma compromised server. This week, the extracted HTML file namesuse random numbers, with names like resume4210.html or resume9647.html. Furthermore, the CryptoWallis nowhosted on various">Opening the attachment and extracting the malicious file gives you an HTML document. " />">Here are some of theURLs from the unzip-ed HTML files">If you open one of these HTML files, your browser will generatetraffic to a compromised">The return traffic is gzip compressed, so you wont see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows">Here are some of docs.google.comURLs we saw from the trafficon Wednesday">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">Examining the traffic in Wireshark, youll find see a chain of events" />
Shown above: Wireshark display one">Run the downloadedmalware on a Windows host, and youll findtraffic thats typical for">The bitcoinaddress for ransom payment by this malware sampleis16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag. Its the same bitcoin address from a previoussamplefound on Thursday2015-06-04, when we were first notified of this particularmalspam [1]. We also saw the same bitcoin address used on Tuesday 2015-06-09 [2] associated withanother">">Shown above: Decrypt instructions from the">CryptoWall 3.0 from">We first noticed Angler EK pushing CryptoWall 3.0 on Tuesday 2015-05-26 [3]. Iposted a diary about it on Thursday 2015-05-28 [4]. This was the first time Id seen version 3.0 of CryptoWall sent byAngler. Iseen">My last documented instance of Angler EK sending CryptoWall3.0 happened on Tuesday 2015-06-09 [5]. Were still seeingexamples where">In each case Ive documented, the bitcoin address for the ransom payment was">Angler EK is still being used by other groups to send different malware payloads. However, the appearance ofCryptoWall 3.0 in Angler since 2015-06-26 using the same bitcoin addressindicates this is a separate campaign by a specific">This week, compromised websites that redirected to Angler had code injected into their web pages, much like the example">A fellow security professional notified me this is a common injection technique used on WordPress sites that have been">The image below shows the 2015-06-09">Shown above: Wireshark display on Angler EK and the post-infection traffic by CryptoWall 3.0.
Final Words
The timing of these two campaigns, along withtheir consistent use of the same bitcoin addresses for the ransom payment,suggest they are related. They may have beeninitiatedbythe same actor. This is a significant trend in ourcurrent threat landscape. We will continue to monitor this activityand report any significantchanges in the situation.
Update - Thursday 2015-06-11 at 01:13 UTC
I generated more Angler EK traffic on 2015-06-11 at 00:09 UTC. This time, I got asample using a different bitcoin address than Id seen from previous Angler-based CryptoWall 3.0 payloads. This bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, began transactions during the same timeframe as other samples associated with this campaign.
At this point, Im not 100 percent certain its the same actor behind all this CryptoWall 3.0 weve been seeing lately. However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.
Traffic and the associated malware can be found at:
- http://malware-traffic-analysis.net/2015/06/11/2015-06-10-CryptoWall-3.0-from-malspam-traffic.pcap
- http://malware-traffic-analysis.net/2015/06/11/2015-06-11-CryptoWall-3.0-from-Angler-EK-traffic.pcap
- http://malware-traffic-analysis.net/2015/06/11/2015-06-11-CryptoWall-3.0-malware.zip
The zip file is protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.
---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://malware-traffic-analysis.net/2015/06/04/index.html
[2] http://malware-traffic-analysis.net/2015/06/09/index2.html
[3] http://malware-traffic-analysis.net/2015/05/26/index.html
[4] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
[5] http://malware-traffic-analysis.net/2015/06/09/index.html