CryptoLocker Associated Sites.

So earlier this month one of my customers got bitten by the CryptoLocker malware.

They lost all their files as they were not willing to pay the ransom and they didn’t really mind starting fresh. It could have been a different outcome ending in payments to the CryptoLocker malware authors had they been more attached to their files.

Anyway.. I did some digging. It appears my customer opened an email containing a zip attachment which in turn contained a .exe file.

This exe file is a dropper that downloads files from:

DONOTCLICK://concepthomesuk.com/wp-content/themes/OpenDoor/images/bannerslider.exe (currently on IPs 81.21.76.62 and 83.170.114.4)
and
DONOTCLICK://backlinksvault.com/helpdesk/docs/dot30uk.exe (currently at 216.151.138.86)

I’ve contacted the UK homes company and asked them to clean up their hacked server as soon as possible.

It is interesting that the malware authors are using https sites.. It makes tracking down the real malware difficult as not many people know how to look into HTTPS requests. Google shows a few results referencing the DNS requests to the domain but nobody has shown the full url to the malware files hosted on the servers.

At the time of writing both the droppers and the above malware files are detected by Avast. They certainly were not when they were initially sent to the customer.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s