Signed Cryptowall distributed via drive-by download advertising campaign
The Dell Sonicwall Threats Research team observed reports of a Cryptowall bot family named GAV: Cryptowall.I actively spreading in the wild. This is the new Variant of Popular CryptoLocker Ransomware which is digitally signed and distributed via advertising campaign on several top ranked Alexa Web sites.
The Malware typically is spread through a couple of vectors such as exploit kits and spam campaigns that include malicious attachments. This most recent campaign involves a series of popular sites that are serving malicious ads that infect machines with CryptoWall.
The Trojan adds the following files to the system:
C:58324545832454.exe [Executable file]
%Appdata%5832454.exe [Executable file]
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
C:Documents and SettingsAdministratorApplication Data5832454.exe
C:Documents and SettingsAdministratorApplication Data
The Trojan it has SeDebugPrivilege Enabled for Thread injection and uses Injected Svchost.exe to set %Appdata% value in the Windows Registry.
The CryptoWall is signed by DigiCert Timestamp Responder, the signature show it was signed on Sunday as you can see on following:
Hopefully the issuer revoked the Certificate after malware was identified on Sunday.
After malware encrypted all your personal documents and files its shows you following web page:
Command and Control (C&C) Traffic
CryptoWall has the C&C communication over port 80. Uses requests to statically defined IP/Domains are made on a regular basis. These requests such as the following:
Drive-by Download advertising campaign
The Malware uses Drive-by downloads were detected as coming from following websites:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: