14 DAY TRIAL // Threats considered a non-priority by security experts can quickly transform into a serious reason of concern, as they can represent the starting point of a more elaborate cybercriminal assault, researchers have found.
This tactic was observed when click-fraud malware, considered a low-level threat, escalated to a ransomware risk with CryptoWall file encrypting tool.
Rerdom Trojan delivered to victim's computer
Security researchers at Damballa noticed the chain of events while investigating on a customer’s network an incident caused by a threat actor they call RuthlessTreeMafia, who initially ran an operation to defraud “pay-per-click” advertisers.
According to a report published today by the company, the cybercriminals rely on the Asprox botnet to deliver the initial payload, but exploit kits are also employed. Then access to the victim’s system is sold to other threat actors.
Damballa ran the RuthlessTreeMafia threat on their system and monitored the infection chain, which saw undeniable evidence of a click-fraud campaign, which ended with the delivery of CryptoWall.
“The RuthlessTreeMafia threat operators use a fast-flux infrastructure to deliver the Rerdom click-fraud malware to victims. This Trojan utilizes a combination of downloader, information stealer, rootkit and search redirector with pop-up ads to obtain additional revenue for the criminal command and control (C&C) organization,” the researchers say in the report.
Threat makes DNS queries to sites in Russia
After the initial download, multiple DNS queries are made to websites in Russia until one is resolved to emptyarray[.]ru. In the following 40 minutes, Damballa’s automated analysis system saw more than 900 connections to different domain names and spotted different threat groups, almost all of them engaging in click-fraud business.
However, during this activity, CryptoWall was also sent to the compromised system to encrypt files and demand payment of a ransom in exchange for decryption services.
Researchers say that the device remains under criminal control and the click-fraud action continues for another hour, generating additional revenue for cybercriminals.
In the two hours until CryptoWall arrived, the infected system received three click-fraud malware pieces.
Stephen Newman, CTO at Damballa, draws attention to the fact that initial infection vectors should not be dismissed as a less important threat because they can represent a symptom for a larger threat waiting to hit.
“The changing nature of these attacks, underscores the importance of being armed with advanced detection, to combat these more stealthy threats. As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click-fraud tale,” Newman says.
