CryptoWall 4 Targets Bookings.com Customers

ThreatTrack Security Labs researchers caught wind of a phishing email masking itself as a Booking.com email. The malware-disguised email includes an “E-TICKET_CONFIRM.doc” attachment that, once downloaded, walks the user through steps to enable embedded macro codes that infect the computer with CryptoWall.

Bookings.com Cryptowall example

CryptoWall 4 masked as a Bookings.com email.

How It Infects Your System: If users ignore Microsoft’s default security warning, the computer becomes infected when the malicious macro code drops and executes an Upatre variant. Upatre then drops a file named comprendre.exe in the %temp% folder, which spawns a child process as a main file and later overwrites it with the downloader code.

This Upatre variant utilizes a common malware technique called process hollowing or dynamic forking to ultimately infect the computer with CryptoWall. Process hollowing runs a legitimate process so the malware appears normal. In this particular Upatre variant, the created instance of svchost.exe is the target and will act as the container of the malicious code. The malicious code will download the file hXXp://www.gpul<BLOCKED>n.com/8170/nnm12.exe  – a CryptoWall 4 malware. Check out the screenshots below to see ThreatTrack’s ThreatSecure analysis of this file.

A snapshot of ThreatSecure's analysis of CryptoWall.

A snapshot of ThreatSecure’s analysis of CryptoWall.

Detailed view of the ThreatSecure analysis.

Detailed view of the ThreatSecure analysis.

CryptoWall viewed in the ThreatSecure dashboard.

CryptoWall viewed in the ThreatSecure dashboard.

This file uses the process hollowing technique on explorer.exe. The hollowed explorer.exe will spawn another instance of svchost.exe, which also contains malicious code. It then contacts a set of sites where it acquires an encryption key. Be sure to check the list of C&C servers below to see where it connects.

CryptoWall 4 is similar to CryptoWall 3, but this version also encrypts the filename of its target and offers a ransom message. The ransom message appears once the malware has encrypted files from local drives.

A ransom message appears once you try to access files infected with CryptoWall.

A ransom message appears when users try to access files infected with CryptoWall.

C&C Servers Malware Targets

URLs observed during analysis include:

  • com/i5amQC.php
  • com/cNabw1.php
  • breakingandentering-movie.com/rXUaE8.php
  • com.au/rxo5Zp.php <–During analysis, this malware was able to acquire key here.
  • nl/52Qwds.php
  • com/K1kCOF.php
  • ample-sun.eu/4BKEt7.php
  • altervista.org/b1AUCJ.php
  • altervista.org/Detuk4.php
  • anna-b.pl/WBxm6M.php
  • hairconstruction.co/GFrT6o.php
  • org/K6lWQg.php
  • com/RWH6sC.php
  • kz/_aP5Qm.php
  • com/TVdDjZ.php
  • cafe-being.com/G5JmvW.php
  • autogas-krombach.de/F74yDk.php
  • kz/Ov8_qV.php
  • com/5X1Wb3.php
  • diogene-atmosphere.com/ixcnYt.php
  • com/lrQ2bG.php
  • net/aq6oTm.php
  • com/GMu28q.php
  • bjoern-bloss.eu/Yo_QUd.php
  • net/kqa4ho.php
  • net/jN3vUi.php
  • carneval-club-boeckels.de/kiCsmO.php
  • co.uk/WnsB6l.php
  • ch/OIP7rk.php
  • nl/DaZjW7.php
  • sk/mE8MKJ.php
  • com/AMx5jI.php
  • 7-eleven-handbags.com/X1rZYp.php
  • com/mshUtH.php
  • com/VWuyK4.php
  • docotel.com/NFDayU.php
  • pl/WGr_xJ.php
  • baehr-consulting.com/1r432c.php
  • nl/RA4BLM.php
  • com/c0Mdwh.php
  • arcadia-meble.pl/Q0bAHK.php
  • altervista.org/bJT1VS.php
  • az/v6a8Ls.php
  • it/3lV_m5.php
  • autohaus-iffland.com/1G7MQi.php
  • bv-quintas.nl/NL417H.php
  • pl/93_7ja.php
  • altervista.org/cUFD6S.php
  • cz/LV6Egb.php
  • ca/IlDH1J.php
  • com/_AcyQv.php
  • com.br/6CvxuN.php
  • com/nCHOvM.php
  • ml/0FeLA2.php
  • nl/oDYzxb.php
  • bradford-marine.com/Rd8pPK.php
  • su/wlI0Uy.php
  • assistance-pc.fr/DzJuMa.php
  • com/_bfSj7.php
  • pl/6Ejz4Y.php
  • me/bToO9P.php
  • org/VImTSM.php
  • com/fgr5nw.php
  • us/9X2kNr.php
  • com/4XQIPH.php

ThreatSecure Network identified this threat targeting a telecommunications firm as malicious, and VIPRE endpoint security detects the infected .doc as:

  • Win32.Generic!BT
  • Win32.CryptoLocker.coce (v)
  • OLE.Generic.a (v)

ThreatAnalyzer, ThreatTrack’s malware analysis sandbox, provides the following analysis insights:

Infected Word document shown in ThreatAnalyzer.

Infected Word document shown in ThreatAnalyzer.

Once infected, recovery is only possible by restoring from an external backup or paying the ransom.

Credit: Bernadette Canubas, Mark Cabel, Daryl Tupaz, Ariel Trimidal, Malware Researchers, ThreatTrack Security Labs

ThreatTrack Security Labs

About Author

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.