Heimdale Security issued an alert stating a new drive by campaign using the Angler exploit kit (EK) that spreads CryptoWall 4.0.
Heimdale researchers said in a report the cyber criminals are most likely located in the Ukraine with the first visible signs of the attack being noticed in Denmark, where more than 100 webpages have been injected with the initial malicious script. The research firm said it has blocked more than 200 additional domains being used to spread Cryptowall 4.0.
Here is a diagram that illustrates the scale of this campaign, which is centered around six servers from the same provider in Ukraine.
After the malicious script is inserted onto a website it downloads the data compiler Pony to snag all the useable passwords and usernames off the infected computer. These are sent to a command and control servers managed by the hackers.
The next step has the victim being moved from the infected host domain to others that then push the Angler EK into the compromised computer. Angler then searches for vulnerable third-party software and weaknesses in the various Microsoft products on board.
“Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim's system,” the report stated.
The CryptoWall bug then is able to communicate with at least four bitcoin gateways. These have been sanitized by Heimdale.
3wzn5p2yiumh7akj.partnersinvestpayto [.] Com / Npc5ea
3wzn5p2yiumh7akj.marketcryptopartners [.] Com / Npc5ea
3wzn5p2yiumh7akj.forkinvestpay [.] Com / Npc5ea
3wzn5p2yiumh7akj.effectwaytopay [.] Com / Npc5ea
Heimdale noted that the Angler EK is being used do to the fact it is hard for antivirus detection software to spot. So the company recommended keeping systems and apps updated with the latest version available, back up data, do not keep important data on a computer and to stay away from strange websites.