CryptoWall 3.0 Attacks via Google Drive

A fresh drive-by campaign that abuses vulnerabilities in the Google Drive platform is serving up CryptoWall 3.0.

Heimdal Security uncovered the campaign, where an initial payload is delivered through the popular Google Drive platform before downloading and running the ransomware from a long list of compromised webpages.

On the enemy pages, several malicious scripts force the user to a narrow selection of dedicated domains used in the campaign (more than 80 active domains),” explained Heimdal spokesperson Andra Zaharia, in a blog.

These domains make use of a commercial exploit kit known as RIG, which will try to abuse vulnerabilities in JavaJRE, Adobe Reader, IE and Flash Player. RIG was the most prevalent exploit kit used in 2014 by cybercriminals according to Heimdal, accounting for 25% of all exploit kits used.

“The low price for use of the RIG exploit kit likely contributed to its popularity in 2014,” Zaharia said. “RIG rental sent criminals back only $150 a week compared to, for example, $750 a week for Neutrino.”

If the victim’s system is not fully updated the EK will drop a file that contacts a series of predefined Google drive URLs before delivering the main objective.

A total of 45 compromised websites are used as delivery platforms.

CryptoWall 3.0 encrypts a variety of data files on the local hard drive and available network drives with a RSA2048 key. The communication then takes place via Tor gateways for anonymity.

“Antivirus detection is low in this campaign, which is deftly released and goes undetected past most endpoint security solutions because of its delivery method,” said Zaharia.

CryptoWall, a variant of last year’s CryptoLocker, came back in its third generation form six months ago, and has been dispersed in at least three strong campaigns since. Unlike its predecessors, it is polymorphic, and has an advanced and extensive infrastructure that can evade detection and take-down attempts.

Users can take steps to protect themselves with the usual vigilance. “Drive-by attacks can also happen while viewing an email or if the user clicks on a deceptive pop-up window on a website,” Zaharia said. “Be very careful about which online destination you access, whether they’re websites or popular services such as Google Drive, which is being used in this particular CryptoWall campaign. Never click on links in e-mails received from people you don’t know.”

What’s Hot on Infosecurity Magazine?