U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Crooks use seemingly harmless help files to serve CryptoWall ransomware

Experts at Bitdefender revealed that crooks used seemingly harmless help files to distribute a variant of the popular ransomware CryptoWall. The cybercrime never ceases to surprise, every time we discuss a new and effective technique to deceive victims and evade detection mechanisms. Security experts at Bitdefender have discovered a new spam campaign that targeted a few […]

Crooks use seemingly harmless help files to serve CryptoWall ransomware

Experts at Bitdefender revealed that crooks used seemingly harmless help files to distribute a variant of the popular ransomware CryptoWall.

The cybercrime never ceases to surprise, every time we discuss a new and effective technique to deceive victims and evade detection mechanisms. Security experts at Bitdefender have discovered a new spam campaign that targeted a few hundred users. Bad actors sent email messages containing a bogus “Incoming Fax Report” that carried a help file with the .chm (compiled HTML) extension.

When victims opened the file, they were presented with a help window, meanwhile a strain of malware in background downloaded the popular CryptoWall ransomware and executed it. Bitdefender detected the ransomware variant as Trojan.GenericKD.217093.

The spam campaign targeted users worldwide, including in the United States, Europe and Australia.

help file cryptowall ransomware

The CryptoWall ransomware is one of the most popular malicious code used in the cybercriminal ecosystem for extortion. Ransomware is a specific family of malware that lock victims’ files and requests the payment of a fee to unlock them. CryptoWall uses public-key cryptography to encrypt files with certain extensions.

According the experts of Dell SecureWorks, in August 2014 the number of CryptoWall infections in the previous six months was 600,000, producing gains for $1 million in ransoms, the victims paid a fee ranging from $100 to $500.

The last variant of CryptoWall, CryptoWall 3.0, uses I2P to hide its command and control infrastructure. The threat actors behind the last campaign used servers located in Vietnam, India, the US, Australia, Spain and Romania to send out the spam emails.

Bitdefender provides the CryptoWall Vaccine, to protect systems against the popular ransomware by blocking file encryption attempts.

“We have now developed a vaccine that allows users to immunize their computers and block any file encryption attempts, even if they become infected with CryptoWall, one of the most powerful clones of the Cryptolocker malware.” reports Bitdefender.

In the specific campaign, the attackers used seemingly harmless help files (CHM files) that can run JavaScript code.

“These CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM,” Bitdefender said. “Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. And it makes perfect sense: the less user interaction, the greater the chances of infection.”

Security experts believe that the campaign was mainly targeted for corporate users because the nature of the bogus document used by the spam messages, a fake fax email.

Pierluigi Paganini

(Security Affairs –  CryptoWall, ransomware)