Ransomware Cryptowall makes a comeback via malicious help files

Infamous ransomware Cryptowall has made a comeback, according to a recent Bitdefender discovery. This time, the ransomware spreads through mass spam emails that contain malicious .chm attachments that execute malware upon opening.

Another advanced Cryptolocker variant

Cryptowall is another variant of Cryptolocker, a widespread ransomware that is known for disguising malware in non-threatening applications or files. Cryptolocker claimed many victims and several copycats and variants have been discovered since its discovery in late 2013, including this one. Like all file encrypting ransomware (also known as crypto malware) the goal of the attacker is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files.

In the case of Cryptowall, users received spam emails titled as “Incoming Fax Report” containing a .chm file attachment. Upon opening the .chm file, users were greeted with this notice. Harmless as this help file looks, it is anything but. While the user is staring at the innocent looking help file, a malicious code downloads Cryptowall in the background from a remote server. Once executed, the ransomware takes over and encrypts the files of the user before demanding a ransom. Because several email clients detect and block executable malware, and users are more aware of what to look out for, cyber criminals are looking at new extensions to spread their malware through email.

Less fashionable, yet highly effective trick

Emsisoft detects the threat as Trojan.GenericKD.217093. According to our partner Bitdefender:

“Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments. Chm is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. These CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. And it makes perfect sense: the less user interaction, the greater the chances of infection.”

Due to the nature of the fake emails, it is expected that the attackers were targeting corporate users. The emails were sent to mailboxes in Europe, Australia and the U.S. Although the scale of this attack is not that massive, it is very revealing as to how malware is evolving to evade security.

Have a nice (ransomware-free) day!