Today, we came across a website providing free Christmas graphics along with an early but unwanted Christmas present. The website christmas-graphics-plus[.]com is injected with malicious code that leads users on a virtual sleigh ride to Angler Exploit Kit (EK) and drops the new CryptoWall 4.0 ransomware. If you were to visit this grotto, then all of your documents would be encrypted and held to ransom - including your Christmas card address book. The real Nightmare Before Christmas.
- Stage 2 (Lure) - ACE identified the malicious code injected into the compromised website.
- Stage 3 (Redirect) - ACE identified the malicious redirect staging website.
- Stage 4 (Exploit Kit) - ACE identified Angler EK and prevented exploits from getting to the customer's machine.
- Stage 6 (Call Home) - ACE identified and prevented the CryptoWall 4.0 command-and-control (C&C) traffic.
The website that was compromised in this attack is christmas-graphics-plus[.]com which provides free Christmas graphics for anybody to use, and is of course popular at this time of year.
We believe the site was compromised on or around the 6th November 2015. SimilarWeb shows how the popularity has increased in the lead up to Christmas (see below). We estimate that in the intervening time, up to 60,000 victims may have been targeted by this attack:
The site is injected with an HTML iFrame that leads to a malicious Traffic Direction System (TDS) which determines whether or not the user should be sent on to more malicious code. Factors in determining this include: browser User-Agent, IP address and referring website. For example, somebody using Internet Explorer on an IP address that has not been seen before is considered a good candidate, whereas a user browsing from Google Chrome might not be targeted at all.
Exploit Kit & CryptoWall 4.0
Here is how the attack works in the background:
The iFrame leads to the TDS which then sends us on to an Angler Exploit Kit landing page. This landing page determines which vulnerabilities are likely to be present on our system and then decides on an exploit to target one of these vulnerabilities (previously blogged). In our case, the only vulnerability that was exploitable on our system was in our intentionally outdated Adobe Flash Player version 126.96.36.199. This vulnerability (CVE-2015-8446) is the newest Flash Player exploit in the wild, which was recently reported by Kafeine on his blog.
Once the Flash Player exploit successfully gained a foothold on our system, it downloaded the CryptoWall 4.0 ransomware from the Angler EK server. This ransomware is newer version of the CryptoWall malware (previously version 3.0), which now randomises filenames as well as encrypting most of the documents found on a machine. After our files were encrypted, we were then requested to pay 500 USD to get the files back.
Of course, we didn't pay the ransom because we were running the malware on a virtual machine with no important files on and besides, we have spent all of our money on Christmas presents already.
Attackers are becoming increasingly intelligent, choosing to compromise websites that they know will be popular during holidays and special occasions. Without adequate protection or updates to your software, you remain particularly vulnerable to these sorts of attacks which will occur in the background and do not require any user interaction. Remember: software updates are for life and not just for Christmas, so make sure you are always up to date!