CryptoWall ransomware with a valid digital signature is being delivered as part of a widespread malvertising campaign, according to Barracuda Labs.
Drive-by downloads were detected as coming from hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.],il, codingforums[.]com, and mawdoo[.]com, according to a Sunday post, which explains that the ransomware in each instance was delivered via the Zedo ad network.
A specific subchain “is common to every site's sequence of events,” and in that subchain, “ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content,” according to the post. “The last site, xenon[.]asapparts[.]com, redirected to one of several different exploit kit-backed sites.”
The initial VirusTotal results showed zero detections; however, the program has since been deemed malicious by additional tools, the post indicates.