14 DAY TRIAL // Around three weeks ago, the world was introduced to CryptoWall 4.0, the latest version of one of the most dangerous ransomware families ever created.
Now, security researcher Brad Duncan is reporting for ISC (Internet Storm Center) on a recently observed cybercrime campaign that utilizes the Nuclear exploit kit to deliver the latest CryptoWall versions to unsuspecting victims.
CryptoWall, a piece of ransomware that heavily encrypts a user's data files and then sends the decryption key to its C&C server, has yet to be cracked.
First time when CryptoWall 4.0 was seen together with an exploit kit
Compared to CryptoWall 3.0, which is extremely popular with cyber-criminals employing exploit kits for their malicious campaigns, this is the first time when version 4.0 was observed being used with a crime-kit anywhere.
According to Mr. Duncan, this most recent campaign is being carried out via domains anonymously registered via the Chinese BizCN domain registrar. The campaign was first spotted on November 2, three days before the news of CryptoWall 4.0's existence leaked to the press.
Mr. Duncan also observed that this particular campaign uses intermediary servers between the user and the page where the exploit kit is hosted.
Campaign uses intermediary gate servers before redirecting users to the exploit kit
These intermediary servers gates were all using the BizCN-registered domains. Mr. Duncan identified the cyber-gang responsible for this campaign as the BizCN Gate Actor.
The presence of these gate servers may be explained by the criminals running filtering operations to make sure the users that land on the exploit kit can be compromised. This is usually done to maximize exploit kit efficiency, avoid reverse-engineering from security vendors, and to cut down bandwidth usage to the exploit kit landing page.
According to recent data compiled by InfoBlox, the Nuclear exploit kit is fourth in popularity among cyber-crooks, with a market share of 16%. The top of the list is occupied by Angler with 30%, followed by Magnituted with 29%, and Neutrino with 21%.
