Researchers said this highlights that the campaign continues to stick with ransomware and shows how viable the ransomware business is for the criminals behind the campaign.
Researchers said this highlights that the campaign continues to stick with ransomware and shows how viable the ransomware business is for the criminals behind the campaign.

The pseudo-Darkleech campaign has been very adaptive over that past twelve months cycling through three different Exploit Kits (EKs) and five different ransomware payloads since this time last year.

Palo Alto Networks Unit 42 researchers said this underscores the campaign continues to stick with ransomware and shows how viable the ransomware business is for the criminals behind the campaign.

The infection sequence usually begins with the victim host viewing a compromised website with malicious injected script, according to a Dec. 30, 2016, blog post. The injected script then generates an HTTP request for an EK landing page and then the EK landing page determines if the computer has any vulnerable browser-based applications. The EK then sends and exploit for any vulnerable applications which may include out dated versions of Internet Explorer or Flash player.

If the exploit is successful, the EK sends a payload and executes it as a background process finalizing with the victim's host being infected by the malware payload, researchers said.

The pseudo-Darkleech campaign first used Angler EK until Angler's disappearance in mid-June 2016 then, like many other campaigns, it switched to Neutrino EK. Afterwards, the campaign stayed with Neutrino EK until mid-September 2016 until Neutrino EK ceased operations, the blog said.

Most recently, campaign switched to Rig EK beginning in mid-September 2016 although researchers still reported seeing indications of a Neutrino EK variant, but at much lower levels than before.

Researchers said that over time the payloads have evolved as well ranging from TeslaCrypt in March 2016, to CryptXXX in April of 2016 until the ransomware's encryption keys were released, to a new variant of a new variant of CryptXXX ransomware dubbed “CrypMIC,” and most recently to Cerber as of October 2016.

“While the pseudo-Darkleech campaign has undergone significant changes over time, one thing that is constant is its use of Exploit Kits (EKs) to deliver malware,” Unit 42 Threat Intelligence Analyst Brad Duncan told SC Media. “This means people who use browsers and applications like Internet Explorer, Microsoft Edge, and Adobe Flash player that are out of date or unpatched are at most risk of infection.”

Duncan said that EKs are focused on wide-scale distribution of malware and that anyone with a vulnerable system is prone to infection.