|
This is a guest diary submitted by Brad Duncan. Various sources have reported version 3 of CryptoWall has appeared [1] [2] [3]. This malware is currently seen from exploit kits and phishing emails. CryptoWall is one of many ransomware trojans that encrypt the personal files on your computer and demand a bitcoin payment before you can unlock them. I got a sample on Wednesday, January 14th 2015 while infecting a virtual machine (VM) from a malicious server hosting the Magnitude exploit kit. If you're registered with Malwr.com, you can get a copy of this CryptoWall 3.0 sample at: https://malwr.com/analysis/MDA0MjIzOGFiMzVkNGEzZjg3NzdlNDAxMDljMDQyYWQ/ Let's look at the traffic from my infected VM:
In this example, the infected VM checked ip-addr.es to determine its public IP address. Then the VM communicated with a server at 194.58.109.158 over a non-standard HTTP port. In this case it was port 2525, but I saw different ports in other hosts I've infected with this sample. Finally, the user viewed a web page for the decrypt instructions at 5.199.166.220. When monitoring the infection traffic with Security Onion [5], we see an EmergingThreats alert for CryptoWall check-in [4].
The decryption instructions specify the following bitcoin account for a ransom payment: 1GJRTp9YRKFEvzZCTSaRAzrHskFjEwsZy
Here's what the user would see on their desktop screen:
---------- Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net References: [1] http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4478 Posts ISC Handler Jan 19th 2015 |
| Thread locked Subscribe |
Jan 19th 2015 7 years ago |
|
What's the status of malware detection for this threat?
|
Michael 32 Posts |
| Quote |
Jan 19th 2015 7 years ago |
|
McAfee Enterprise is successfully detecting the new variant. We had a user get nailed in the last few days. We immediately kicked the user off the network to prevent further network penetration.
|
Dokki 4 Posts |
| Quote |
Jan 19th 2015 7 years ago |
|
It had a 9 of 56 detection rate on Virus Total had identified it when I originally submitted it on 2015-01-14. Someone re-submitted it to Virus Total again today, and it's currently sitting at 35 of 56.
virustotal.com/en/file/9e06d2ce0741e039311261acc3d3acbaba12e02af8a8f163be926ca90230fa89/analysis/ |
Brad 433 Posts ISC Handler |
| Quote |
Jan 19th 2015 7 years ago |
|
It had a 9 of 56 detection rate on Virus Total had identified it when I originally submitted it on 2015-01-14. Someone re-submitted it to Virus Total again today, and it's currently sitting at 35 of 56.
|
Brad 433 Posts ISC Handler |
| Quote |
Jan 19th 2015 7 years ago |
|
Hello, can you tell me please, what DAT (mcafee) version detect this malware?
|
Brad 1 Posts |
| Quote |
Jan 27th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
