So earlier this month one of my customers got bitten by the CryptoLocker malware.
They lost all their files as they were not willing to pay the ransom and they didn’t really mind starting fresh. It could have been a different outcome ending in payments to the CryptoLocker malware authors had they been more attached to their files.
Anyway.. I did some digging. It appears my customer opened an email containing a zip attachment which in turn contained a .exe file.
This exe file is a dropper that downloads files from:
DONOTCLICK://concepthomesuk.com/wp-content/themes/OpenDoor/images/bannerslider.exe (currently on IPs 188.8.131.52 and 184.108.40.206)
DONOTCLICK://backlinksvault.com/helpdesk/docs/dot30uk.exe (currently at 220.127.116.11)
I’ve contacted the UK homes company and asked them to clean up their hacked server as soon as possible.
It is interesting that the malware authors are using https sites.. It makes tracking down the real malware difficult as not many people know how to look into HTTPS requests. Google shows a few results referencing the DNS requests to the domain but nobody has shown the full url to the malware files hosted on the servers.
At the time of writing both the droppers and the above malware files are detected by Avast. They certainly were not when they were initially sent to the customer.