Nuclear EK Used for Spreading Ransomware CryptoWall 4.0

Brad Duncan Security Researcher at Rackspace has found that exploit kits, in particular the Nuclear Exploit Kit is being used for disseminating the CryptoWall 4.0 ransom malware for contaminating computers with it, reported threatpost.com dated November 25, 2015.

Duncan says that he always anticipated CryptoWall 4.0 to substitute version 3.0 before spreading. In fact he had noticed an identical situation at the time CryptoWall 2.0 substituted CryptoWall's first version during 2014. Such replacements did not occur immediately rather began with spam campaigns followed with moving onto attack toolkits.

Duncan further explains that when cyber miscreants begin thrusting CryptoWall 4.0 via attack toolkits, the incident doesn't occur with all attack toolkits simultaneously. The process begins with one exploit kit (EK) followed with another and yet one more. Eventually, all the EKs will have done towards getting to the latest CryptoWall edition.

The attacker leveraging assaults lately used BizCN domains when he changed the Internet Protocol addresses with the gate domains acting as third party servers connecting the hijacked online sites with the server that harbored the EK. The particular attacker, according to Duncan, utilized the Nuclear EK for serving malware.

The researcher elaborates the operation's working to be as Gate servers examining what the browser or operating system is running with the help of user-agent thread within HTTP headers that any probable victim sends. Based on what user-agent thread exists, there'll be commensurate response from Gate server. In the case of BizCN gates, for any non-Windows OS, the related response from Gate server comes as "404 not found" meaning resources needn't be squandered for a host which isn't attack-prone. When user-agent thread displays host running Windows OS, response from gate server comes as "200 OK" that'll subsequently produce e-traffic for the server hosting an EK, Duncan says. Sensortechforum.com reported this, November 26, 2015.

In conclusion, Mr. Duncan notes that since he has exposed the criminals behind BizCN gate attack, the attackers maybe compelled to change. But incase the change doesn't occur and drastically too then the attack can happen again Therefore, if any substantial difference in the state-of-affairs happens, another diary may be expected from Duncan.

» SPAMfighter News - 12/9/2015