CryptoWall Makes a Comeback via Malicious Help FilesCryptoWall Makes a Comeback via Malicious Help Files
Hackers use .chm attachments to execute malware on unsuspecting users.
March 9, 2015
A new spam wave has hit hundreds of mailboxes with malicious .chm attachments to spread the infamous CryptoWall ransomware, malware researchers from Bitdefender Labs found.
Interestingly, hackers have resorted to a less “fashionable,” yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments.
What Is So Dangerous About Help Files?
The fake incoming fax report email claims to be from a machine in a user’s domain, which leads us to believe the email targets employees from different organizations to infiltrate company networks.
Once the content of the .chm archive is accessed, the malicious code downloads from this location http://*********/putty.exe, saves itself as %temp%\natmasla2.exe, and executes the malware. A command prompt window opens during the process.
CryptoWall is an advanced version of CryptoLocker, a file-encrypting ransomware known for disguising its viral payload as a non-threatening application or file. Its payload encrypts the files of infected computers in an effort to extract money for the decryption key.
Ransomware is one of the most challenging breeds of malware, especially for security companies, which are forced to create increasingly aggressive heuristics to make sure internal data remains private. Learn more about how companies can bolster defenses against ransomware here.
The email blast occurred on the 18th February and targeted a couple hundred users. The spam servers appear to be in Vietnam, India, Australia, the US, Romania, and Spain. After analyzing the recipient domain names, it looks like attackers are after users from around the world, including those in the US, Europe, and Australia.
Bitdefender detects the malware as Trojan.GenericKD.2170937.
How to Prevent Getting Infected with CryptoWall
Bitdefender researchers have made a list of recommendations to prevent CryptoWall infections, including keeping a copy of the data on external drives. Read more about it here. To add extra protection, Bitdefender has also developed the CryptoWall Immunizer, a tool that allows users to immunize their computers and block any file encryption attempt before it happens. Bitdefender recommends users keep their antivirus solution always on and use this tool as an additional layer of protection.
This article is based on spam samples provided courtesy of Bitdefender Spam Researcher Adrian Miron and the technical information provided by Bitdefender Virus Analysts Doina Cosovan and Octavian Minea.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks