Infostealers, Exploit Kits & Ransomware, Just Your Typical Malware Campaign

[Karamjit]

A look inside your typical malware campaign

 

In an optimal scenario, when you get infected with malware, you think it's only one virus. Unfortunately, in the real world it's not so, and security analysts from Heimdal Security have unveiled details about a malware campaign that starts with infostealers, goes through exploit kits, and finishes with computers being locked down with ransomware.

 

The whole nightmare scenario begins when users are infected with the Pony infostealer, a malware strand specialized in discovering and stealing user credentials.

 

These can be local computer or network authentication logins, FTP credentials, or the various user & password combos stored inside your browsers.

 

Using FTP details exfiltrated using Pony, the criminals behind this campaign are accessing the victims' online websites, and injecting malicious code in key files.

 

This malicious code secretly redirects all that website's users to a malicious page where an exploit kit is hosted. Exploit kits, or crimekits, will perform a series of checks on all users that land on their page, and detect any vulnerable software.

 

Final payload: CryptoWall 4.0 ransomware

 

Since the Angler exploit kit is detected in this campaign, if the user has vulnerable Flash, Java, or Microsoft software installed, he will get infected with other types of malware, and in this case, the CryptoWall 4.0 ransomware.

 

This is where the campaign ends, and where criminals start making money, with most of the users ending up by paying the ransom to recover their files.

 

"Not even a month has passed since we announced the advent of CryptoWall 4.0 and its improved communication and capabilities and it’s already being used in campaigns," Heimdal Security's Andra Zaharia notes. "Attackers move fast, they are resourceful, they understand market trends and are able to capitalize on zero days and other vulnerabilities."

 

According to Heimdal Security's investigation, most of the exploit kits are hosted on a series of pages tied to six major domains, all hosted on the infrastructure of a Ukrainian Web hosting provider, known to ignore takedown requests.

 

From

[straycat19]

If you do all your online activities using a VM then 99% of all malware won't even install and will even delete itself from the system because most of it today is designed to do exactly that to prevent security personnel from testing and analyzing it using a VM.

[Holmes]

You cant just assume it is going to delete itself yes it very likely what happens if someone takes your advice and gets a malware that is designed too infiltrate vm's like it infects the vm and tries to find a exploit in the vm vm's are not hackproof.  I agree with you to a extend there is malware out there that can be designed to detect a vm and then escape it to infect the computer itself thats the malware im worried about.  Thats what black hats wants you to think that your safe then when you think your safe they test that weakness.