Click HERE to learn more about classes Basil is teaching for SANS

Cryptowall ,again!

Published: 2015-03-06. Last Updated: 2015-03-06 11:23:32 UTC
by Basil Alawi S.Taher (Version: 1)
2 comment(s)

A new variant Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems.

According to net-security.org, Bitdefender labs has found a spam wave that spread a malicious .chm attachments.

CHM is the compiled version of html that support technologies such as JavaScript which can redirect a user to an external link.

“Once the content of the .chm archive is accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.”

 ======================================

1-https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+3.0/19203

2-https://isc.sans.edu/forums/diary/Pay+attention+to+Cryptowall/18243/

3-http://www.net-security.org/malware_news.php?id=2981&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

Keywords:
2 comment(s)
Click HERE to learn more about classes Basil is teaching for SANS

Comments

interesting. didn't realize CHM files could both download and execute things.
so definitely not user interaction required?

Anonymous

Mar 7th 2015
1 decade ago

https://twitter.com/ithurricanept

interesting poc (or maybe sample judging by the poc domain).
chm with embedded 1x1 active-x button. clsid referring to Hhctrl.ocx (CHM as well)
JS autorun - auto-clicks the button, active-x object calls cmd, calls powershell, dls and execs code. Curious.

Anonymous

Mar 7th 2015
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives