Poison résumé attack gives ransomware a gig on the desktop

Multiple rival researchers warn of Cryptowall delivery ruse targeting employers

Security researchers are focussing their crosshairs on what appears to be high-volume spam and exploit campaigns to deliver the latest iteration of the Cryptowall ransomware.

Boffins from the SANS Institute, Cisco, and MalwareBytes have identified a dangerous if goofy spam campaign slinging the nasty ransomware masquerading as file attachment bearing a résumé.

SANS handler Brad Duncan says the two campaigns to foist Cryptowall 3.0, also known as Croti, appear to be the handiwork of one attacker.

Duncan says "… we've seen a significant amount of Cryptowall 3.0 ransomware from malicious spam and the Angler exploit kit [and] it has increased significantly."

"The CryptoWall 3.0 push from Angler exploit kit appears to have started around the same time.

"The timing of these campaigns indicates they might be related and possibly initiated by the same actor."

Duncan says the campaign has ramped up over the last two weeks and is still active as of the time of writing.

It is the first time version three of the scumware has been paired with Angler.

Cryptowall is being cloaked under the file name my_resume.zip and has been sent from Yahoo email addresses. The extracted files are screen savers that, when executed, download Cryptowall from compromised servers.

New variants include filenames of resume4210.html and resume9647.html and point to Google Docs servers.

Cisco security bod Nick Biasini says the ransomware is using clever obfuscation techniques to trick users.

"[Analysis] showed that a large number of users that received the email were seen attempting to download the file from the compromised WordPress site," Biasini says.

"These attacks are successful because these types of emails are seen legitimately as well. If they happen to reach someone who is in the process of hiring or evaluating candidates they are likely to open the attachments and follow the process."

MalwareBytes researcher Jerome Segura found the ransomware being foisted through the PopCash advertising network which serves some 180 million hits a month.

The malware analyst found Cryptowall is being foisted through the Magnitude exploit kit, specifically by way of an Adobe Flash exploit (CVE-2015-3090, CVE-2014-6332, CVE-2013-2551) within Microsoft Internet Explorer.

In most instances the ransomware demands payments of $500 in Bitcoin.

Many organisations opt to pay the ransoms to avoid hassle and data loss but Segura points out that paying up shores criminals' business model. "Paying the ransom as a desperate measure to get those important files can be understood but it also keeps this underground economy flourishing," he says. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021