CryptoWall 3.0 Ransomware Partners With FAREIT Spyware


Top member
We came across one cryptoransomware variant that’s combined with spyware—a first for cryptoransomware. This development just comes at the heels of the discovery that ransomware has included file infection to its routines.
CryptoWall 3.0
We first encountered CryptoWall as the payload of spammed messages last year. We noted that while other crypto ransomware variants have a graphical user interface (GUI) for their payment purposes, CryptoWall relied on other means—opening a Tor site to directly ask for payment or opening the ransom note in Notepad, which contained the instructions to access a payment page via a Tor browser.
But a lot of things have changed since those first CryptoWall sightings. The earlier versions of CryptoWall pretended to be CryptoLocker, even mimicking its UI for its messages. Since then, we have seen CryptoWall use its own name and UI for its victims.
Also gone is the use of Tor for its commandandcontrol (C&C) servers. The latest version, dubbed CryptoWall 3.0, now uses hardcoded URLs. Admittedly, using Tor can be seen as an advantage for the anonymity offered. But the disadvantage is that system admins could easily block Tor network traffic or even the Tor application itself if there is no need for it.
The hardcoded URLs are heavily obfuscated so threat researchers wouldn’t extract them easily. Since URL blocking is reactive, there is a delay before the blocking can be implemented. During this “window,” the malware could have already communicated with the C&C server and acquired the RSA public key to be used for file encryption.
It should be noted that its C&C server is different from its payment page. The malware still uses Tor for its payment page so that transactions wouldn’t be hindered if authorities try to bring down their payment servers.
And perhaps as a “precautionary measure,” CryptoWall 3.0 deletes the system’s shadow copies to disable restoring files to their previous state, rendering victims with no other options for saving their files.
Using JavaScript and “JPEGS”
CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF

CryptoWall 3.0 Ransomware Partners With FAREIT Spyware | Security Intelligence Blog | Trend Micro