14 DAY TRIAL // A new resume-themed malicious email campaign spotted by security researchers aims at delivering version 3.0 of CryptoWall ransomware, recording success against some antivirus solutions.
Distributing crypto-malware this way is not uncommon, but cybercriminals make constant efforts to evade detection.
Ransomware delivered after several redirects
For this campaign, the threat actor sends the message making it look like it is a reply to a previous email sent by the victim. Attached to it is a ZIP archive containing an HTML document
The file redirects to a compromised WordPress website containing an iFrame with a redirect to a Google Drive cloud storage account serving the a malware downloader, which poses as a PDF but is in fact an executable file (SCR) associated with screensavers.
The infection chain is pretty intricate for a campaign of this kind and relies on multiple layers of obfuscation that are likely to fool multiple antivirus solutions.
Nick Biasini from Cisco’s TALOS security intelligence and research group analyzed the infection chain and said that a large number of the recipients were tricked and attempted to download the malware downloader from the compromised WordPress website.
Small modifications of the threat make campaigns successful
“These attacks are successful because these types of emails are seen legitimately as well. If they happen to reach someone who is in the process of hiring or evaluating candidates they are likely to open the attachments and follow the process,” Biasini says in a blog post on Friday.
The final payload is CryptoWall, which, despite being well known in the security industry, is delivered with small variations to avoid detection. The researcher says that the hashes are changing often and allow for longer exploitation times.
On VirusTotal, when a such a campaign is initiated, only a few products detect the malware and none of them recognize its type. However, in as quick as 25 hours detection is available from more than 25 antivirus solutions and the campaign reaches an end, only to be redeployed with a slightly modified version of the ransomware.