On February 4, 2015, Cyphort Labs detected another malvertising campaign originating from gopego.com. The site displays a malicious advertisement that redirects to other malicious links and eventually downloads CryptoWall ransomware.
The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 which hit affyield.com a few days back.
Clik here to view.
Fig.1: iframe redirecting to the flash EK
Image may be NSFW.
Clik here to view.
Exploit Analysis
The initial flash file essentially is an exploit package. It is used as a platform to deliver other exploits embedded in the flash file. As seen before, the initial flash exploit (MD5: 31710b3fe36943bd5273d4fb0f0efa85) is obfuscated and loads a second stage flash file using loadBytes(). During the second stage, it stores a flash parameter (rtConfigEncodedString) to an RC4-encrypted JSON file. The key used is ‘vukocwgsos142160’. This JSON file contains the list of URLs to the binary payload along with the RC4 keys used to decrypt these binaries.
Image may be NSFW.Clik here to view.
The second stage flash uses ExternalInterface.call() to inject Javascript into the browser DOM and requests various properties of execution environment.
Image may be NSFW.Clik here to view.
It has several exploits embedded as binary data, in encrypted and compressed form. Based on the environment, it chooses an appropriate exploit and decrypts it using RC4, and decompresses it if necessary. The decryption key used is “florbgd622662”. Once the chosen exploit is decrypted, depending on the vulnerability to exploit it is either injected via HTML/JS into the browser DOM or loaded as third stage SWF file.
Image may be NSFW.Clik here to view.
The screenshot above shows binaries which exploit the following vulnerabilities:
| CVE-2013-2551 – nw2_html |
| CVE-2014-6332 – nw7_html |
| CVE-2015-0311 – nw9_swf |
| CVE-2014-0569 – nw6_swf |
After successful exploitation, the shellcode downloads an RC4-encrypted binary over the network which it decrypts using the key “fxfdaxrrax“.
Clik here to view.
Cryptowall 3.0 downloaded over the network
Payload
MD5: 0cffee266a8f14103158465e2ecdd2c1
The final payload is a variant of Cryptowall version 3.0 (also known as Crowti). Similar to its predecessor, it uses RSA-2048 algorithm to encrypt files on the hard disk. It also drops the following already well known files in each of the affected directories. These files contain instructions on how to pay the ransom.
Image may be NSFW.Clik here to view.
Once it finished encrypting files, the malware visits the url http://paytoc4gtpn5czl2.torpaysolutions.com/hkmxYL and demands victims to pay US$500 using Bitcoin in order to receive the decryption key that allows them to recover their files. It also displays a countdown of 168 hours (7 days) to pay the ransom. If the victim does not obey, the price will increase to USD $ 1,000 after the countdown.
Image may be NSFW.Clik here to view.
Clik here to view.
Instruction on how to pay the ransom using bitcoin
The ransomware program provides users with links to several Tor gateways leading to CryptoWall decryption services hosted on the Tor network.
There have been reports also that this new version of cryptowall use I2P (Invisible Internet Project) anonymity networks to carry out communication between victims and controllers to hide from researchers and law enforcement officials.
We have seen this malware connect to following CnC servers:
- asthalproperties.com:4444
- pratikconsultancy.com:8080
It retrieves the victims IP address by visiting ip-addrs.es.
Cyphort Labs has seen malvertising campaigns on the rise. They continue to be the favorite delivery method of threat-actors to deliver drive-by-download attacks. With every discovery of a zero-day exploit, actors are rapidly taking advantage and update their kits to deliver malicious binaries more reliably. It is always advisable to take precautionary measures when surfing the web and patch software to the latest available version.
Special thanks to McEnroe Navaraj, Alex Burt and the rest of the Cyphort Labs team for their help in the discovery and analysis of this attack.
The post Malvertising on Indonesian portal gopego.com delivers Cryptowall 3.0 appeared first on Cyphort.