CryptoWall 4.0 Spreading via Nuclear Exploit Kit

The CryptoWall 4.0 ransomware is being spread via exploit kits, with the Nuclear exploit kit (EK) being the first major crimekit to infect machines with this type of malware, Rackspace security researcher Brad Duncan has discovered.

In a blog post published by the SANS Internet Storm Center, Duncan explains that the “BizCN gate” actor has started sending CryptoWall 4.0 payloads from the Nuclear EK on Friday, November 20. The BizCN gate actor has been known to distribute malware via the Nuclear EK, but started using CryptoWall only on November 19, when the ransomware in the payload was at version 3.0.

CryptoWall 4.0 was spotted for the first time in early November, less than a year after its predecessor made a debut on the malware scene. The updated threat encrypts not only the content of the files on infected machines, but also file names, which prevents victims from recognizing them, while also featuring an updated ransom note, which claims that the CryptoWall Project is not malicious.

In early November, researchers at Heimdal Security reported that CryptoWall 4.0 () includes advanced malware dropper mechanisms and improved communication capabilities, such as a modified protocol that enables it to avoid detection. Similar to previous versions, it uses the Decrypt Service website for payments, and asks victims to pay 1.83 Bitcoin, roughly $700, for the private key to decrypt their files.

Until now, CryptoWall 4.0 has been spreading through spam emails, and this is the first time it has been spotted in an exploit kit. However, considering that CryptoWall 3.0 has been spreading through Nuclear, Angler, and other exploit kits, chances are that the actors behind them will start including CryptoWall 4.0 among their malicious payloads in the near future.

According to Duncan, the BizCN gate actor currently spreading the ransomware via Nuclear EK has recently switched IP addresses from the 136.243.0.0/16 block (Germany – TK Rustelekom LLC) to 46.172.83.0/24 (Ukraine – PE Fesenko Igor Mikolayovich). He also notes that injected script pointing at to the BizCN-registered gate can be observed on the pages of compromised websites.

He explains that URL patterns in HTTP GET requests are distinctive, and that HTTP GET requests to the gate domain return javascript that was sent sent gzip-compressed. By analyzing the payload, traces of Nuclear EK were found, and Duncan says that the EK exploits a flash vulnerability on the website to successfully infect Windows hosts.

The researcher also discovered that the version of CryptoWall sent by the BizCN gate actor differs from other instances of the malware and that it looks like an NSIS installer, placing custom artifacts in the infected user’s AppDataLocalTemp directory.

While CryptoWall 4.0 has been noticed only in Nuclear EK and is associated only with the BizCN gate actor as of now, Duncan expects it to appear in other EKs soon. He also notes that BizCN might change tactics, in an attempt to go undetected, though the researcher is certain that the gate actor can be found again, unless it initiates a drastic change.

In late October, the Cyber Threat Alliance said in a report that CryptoWall 3.0 campaigns appear to be initiated by a single entity. They also noted that the primary Bitcoin wallets used in these operations pointed at the fact that the masterminds behind the malware made more than $300 million.

In June, FBI estimated that over 992 CryptoWall-related complaints received between April 2014 and June 2015 resulted in more than $18 million in losses.

Related: CryptoWall 4.0 Released With Filename Encryption Feature