Cb Connect 2018 | Power of You | Register Now


CryptoWall Proves Two Old Wrongs Can Work Right

Carbon Black
March 12, 2015 / Matt Larsen

CryptoWall, an advanced version of the file-encrypting ransomware CryptoLocker, recently was sent to email accounts in at least seven countries. CryptoWall’s payload encrypts files on an infected computer in an effort to extort money in return for the decryption key.

CryptoWall is nothing new, and neither is its most recent delivery method: infected Compiled HTML files with the extension of .chm. These .chm files have been used before to deliver malware through email attachments. So, in this new era of highly-sophisticated attacks, malicious programmers went back to less fashionable but highly effective tactics.

“I am continually amazed that distributing malware in email attachments is still as successful as it is,” said Rico Valdez, senior threat intelligence researcher at Bit9 + Carbon Black. “Most end users don’t understand that email was never designed with any sort of security in mind, and assume that their antivirus software or corporate IT environment is taking care of them. They have no clue how trivial it is to spoof a sender, or use a little bit of public information to target an individual.”

Valdez added: “Corporate environments need to do better at protecting end-users from attachments and email spoofing in general, including user education and technical controls.”

In this case, the targets included companies in the U.K., the U.S., Holland, Australia, Sweden, Denmark and Slovakia. The spam servers appear to be in the U.S., Australia, Vietnam, India and Romania.

Using .chm files is a solid tactic. They are normally used to deliver user manuals, but it leverages a chain of effective tools such as JavaScript, which could be used to call executable files or other tools like Active-X or PowerShell. Configured properly, it could write and execute almost any malicious file once the .chm file is opened.

In this specific case, there is a pattern to the results of opening the infected .chm archive:

  1. The code will download http://<various domains>/putty.exe from a list of websites using normal http over port 80.
  2. It saves the putty.exe file as %temp%\natmasia2.exe and then executes the malware.
  3. A command prompt opens during this process, but it does not request any further user interaction.

Blocking the download of the executable or blocking the write/execution of the natmasia2.exe file can stop this particular variant. Or better yet: preventing the user from opening the infected file in the first place will stop this attack and many others.

This attack continues to prove one key point—the cyber battle needs to be fought at the level of the endpoints and their users themselves.

TAGS: cryptolocker / ransomware