Booking.com Users Attacked by CryptoWall 4.0

According to security researchers, a phishing email masking itself as a Booking.com email, has been confusing PC users these days. The malware-disguised email consists an “E-TICKET_CONFIRM.doc” attachment which, when downloaded, makes the user enable embedded macro codes that infect the computer with CryptoWall.

Usually, the virtual machine gets infected with CryptoWall when the malicious macro code drops and executes an Upatre variant. After that, Upatre drops a file called comprendre.exe in the %temp% folder, which spawns a child process as a main file and later overwrites it with the downloader code.

The common malware technique utilized by Upatre, is called process hollowing or dynamic forking to ultimately infect the computer with CryptoWall. Due to the fact that the process hollowing runs a legitimate process, the malware looks normal.

In the aforementioned Upatre variant, the created instance of svchost.exe is the target and it will act as the container of the malicious code. The malicious code will download the file hXXp://www.gpuln.com/8170/nnm12.exe – a CryptoWall 4.0 malware. This file uses the process hollowing technique on explorer.exe.

Booking.com cryptowall example

The hollowed explorer.exe will spawn another instance of svchost.exe, which also contains malicious code. After that, it contacts a set of websites where it acquires an encryption key.

CryptoWall 4.0 is rather similar to CryptoWall 3.0, however, the new version encrypts the filename of its target and offers a ransom message. The ransom message appears after the malware has encrypted files from the local drives.

C&C Servers Malware Targets

URLs observed during analysis include:

  • breakingandentering-movie.com/rXUaE8.php
  • ample-sun.eu/4BKEt7.php
  • altervista.org/b1AUCJ.php
  • altervista.org/Detuk4.php
  • anna-b.pl/WBxm6M.php
  • hairconstruction.co/GFrT6o.php
  • cafe-being.com/G5JmvW.php
  • autogas-krombach.de/F74yDk.php
  • diogene-atmosphere.com/ixcnYt.php
  • bjoern-bloss.eu/Yo_QUd.php
  • carneval-club-boeckels.de/kiCsmO.php
  • 7-eleven-handbags.com/X1rZYp.php
  • docotel.com/NFDayU.php
  • baehr-consulting.com/1r432c.php
  • arcadia-meble.pl/Q0bAHK.php
  • altervista.org/bJT1VS.php
  • autohaus-iffland.com/1G7MQi.php
  • bv-quintas.nl/NL417H.php
  • altervista.org/cUFD6S.php
  • bradford-marine.com/Rd8pPK.php
  • assistance-pc.fr/DzJuMa.php

The threat is targeting a telecommunications firm as malicious, and VIPRE endpoint security, detecting the infected .doc as:

  • Win32.CryptoLocker.coce (v)
  • Win32.Generic!BT
  • OLE.Generic.a (v)

What computer users should know in this case, is that if their PC gets infected, the recovery is only possible by restoring from an external backup, or after the ransom is paid.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.