A new series of drive-by campaigns that are equipped to spread the Angler exploit kit to subsequently shove the most infamous ransomware of them all, Cryptowall, has been discovered.
A team of security researchers at Heimdal Security have uncovered a new batch of malicious drive-by campaigns. The new strain spreads the Angler exploit kit by injecting malicious code into targeted web pages. The researchers note the destructive potential of the campaigns due to the malware authors’ comprehensive objectives and the attack mechanisms used.
The complete account of the malware discovery can be found here.
If the campaign is effective, the malware could potentially infect a large number of PCs with the latest variant of the CryptoWall ransomware – CryptoWall 4.0.
The Malware Campaign
The campaign is triggered when a collective strain of malware is installed on to the compromised PC. The initial payload contains Pony, a data thief that routinely harvests all valid credentials from the targeted and infected machine. This data is then relayed to several C&C (Control and Command) servers that are set up by the malicious attackers.
Also read: CryptoWall 4.0: Why the Ransomware Presents a Bigger Threat than Its Predecessor
Valid credentials are then used to access web servers and systems used by websites that are directly injected with the malicious script. When dispersed directly through web servers, the likelihood of a large-scale distribution of the malware increases exponentially.
The second phase of the infection contains the drive-by campaigns. These occur when the victim’s connection is relayed from a compromised legitimate website to a group of malicious domains that inject the Angler exploit kit.
The kit then scans for vulnerabilities in third party software and Windows process to check if the system has been recently updated. Once it is determines the vulnerabilities, Angler then injects CryptoWall 4.0 into the targeted system.
The campaign is found to originate from a hard-to-crack hosting service located in Ukraine, researchers have determined. As it turns out, over 100 web pages in Denmark are already infected with the kit with the campaign reaching beyond Europe as well.
To immunize your Windows PC from the malware strain, here are a few pointers:
- Always keep your system updated. Always.
- Do frequent backups of important data and your OS, as a general practice.
- Stay away from untrustworthy websites
- One of the most effective method of spreading malware is via emails. Avoid all spam emails and ignore suspicious emails from unknown senders.
- Most important of all, be doubly sure of the compressed file or the executive file you’re opening.
Featured image from Shutterstock.