The CryptoWall ransomware appears to be coming back from a short hiatus, with a new attack campaign that spreads the misery via malicious help files.
A spam wave has targeted hundreds of mailboxes with malicious .chm attachments. .Chm is an extension of the Compiled HTML file format, which is used to deliver user manuals. As familiar to most computer users, help files typically include a range of HTML documents, images and JavaScript files, a hyperlinked table of contents, an index and full text searching.
Malware researchers from Bitdefender Labs noted that because .chm files are so very interactive, with plenty of hooks and links to the outside world of the web, users can be exposed to an external URL after simply opening a .chm file.
“Attackers began exploiting .chm files to automatically run malicious payloads once the file is accessed,” explained BitDefender security analyst Alexandra Gheorghe, in a blog. “And it makes perfect sense: The less user interaction, the greater the chances of infection.”
The email blast detected by the firm targeted a couple hundred users, from spam servers that appear to be in Vietnam, India, Australia, the US, Romania and Spain. After analyzing the recipient domain names, BitDefender determined that the attackers are casting a wide net, looking for victims from around the world, including those in the US, Europe and Australia.
In February, Cisco found that CryptoWall had evolved into a third-generation baddie, with a streamlined dropper and new functionality such as incorporating I2P anonymous network communication. It’s likely that the changes indicate that CryptoWall’s authors are focusing more on exploit kits as an attack vector.
As always, users should be wary of paying the ransom, should an infection occur—and should keep a copy of their important data backed up on external drives or to cloud storage.