A look inside your typical malware campaign.In an optimal scenario, when you get infected with malware, you think it’s only one virus. Unfortunately, in the real world it’s not so, and security analysts from Heimdal Security have unveiled details about a malware campaign that starts with infostealers, goes through exploit kits, and finishes with computers being locked down with ransomware.
The whole nightmare scenario begins when users are infected with the Pony infostealer, a malware strand specialized in discovering and stealing user credentials. These can be local computer or network authentication logins, FTP credentials, or the various user & password combos stored inside your browsers.
Using FTP details exfiltrated using Pony, the criminals behind this campaign are accessing the victims’ online websites, and injecting malicious code in key files.
This malicious code secretly redirects all that website’s users to a malicious page where an exploit kit is hosted. Exploit kits, or crimekits, will perform a series of checks on all users that land on their page, and detect any vulnerable software.
Final payload: CryptoWall 4.0 ransomware
Since the Angler exploit kit is detected in this campaign, if the user has vulnerable Flash, Java, or Microsoft software installed, he will get infected with other types of malware, and in this case, the CryptoWall 4.0 ransomware.
This is where the campaign ends, and where criminals start making money, with most of the users ending up by paying the ransom to recover their files.
“Not even a month has passed since we announced the advent of CryptoWall 4.0 and its improved communication and capabilities and it’s already being used in campaigns,” Heimdal Security’s Andra Zaharia notes. “Attackers move fast, they are resourceful, they understand market trends and are able to capitalize on zero days and other vulnerabilities.”
According to Heimdal Security’s investigation, most of the exploit kits are hosted on a series of pages tied to six major domains, all hosted on the infrastructure of a Ukrainian Web hosting provider, known to ignore takedown requests.