ThreatTrack Security Labs researchers caught wind of a phishing email masking itself as a Booking.com email. The malware-disguised email includes an “E-TICKET_CONFIRM.doc” attachment that, once downloaded, walks the user through steps to enable embedded macro codes that infect the computer with CryptoWall.
How It Infects Your System: If users ignore Microsoft’s default security warning, the computer becomes infected when the malicious macro code drops and executes an Upatre variant. Upatre then drops a file named comprendre.exe in the %temp% folder, which spawns a child process as a main file and later overwrites it with the downloader code.
This Upatre variant utilizes a common malware technique called process hollowing or dynamic forking to ultimately infect the computer with CryptoWall. Process hollowing runs a legitimate process so the malware appears normal. In this particular Upatre variant, the created instance of svchost.exe is the target and will act as the container of the malicious code. The malicious code will download the file hXXp://www.gpul<BLOCKED>n.com/8170/nnm12.exe – a CryptoWall 4 malware. Check out the screenshots below to see ThreatTrack’s ThreatSecure analysis of this file.
This file uses the process hollowing technique on explorer.exe. The hollowed explorer.exe will spawn another instance of svchost.exe, which also contains malicious code. It then contacts a set of sites where it acquires an encryption key. Be sure to check the list of C&C servers below to see where it connects.
CryptoWall 4 is similar to CryptoWall 3, but this version also encrypts the filename of its target and offers a ransom message. The ransom message appears once the malware has encrypted files from local drives.
C&C Servers Malware Targets
URLs observed during analysis include:
- com.au/rxo5Zp.php <–During analysis, this malware was able to acquire key here.
- Win32.CryptoLocker.coce (v)
- OLE.Generic.a (v)
ThreatAnalyzer, ThreatTrack’s malware analysis sandbox, provides the following analysis insights:
Once infected, recovery is only possible by restoring from an external backup or paying the ransom.
Credit: Bernadette Canubas, Mark Cabel, Daryl Tupaz, Ariel Trimidal, Malware Researchers, ThreatTrack Security Labs
About Author ThreatTrack Security Labs
ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.