An email program continues to attack, tricking victims into downloading a third version of CryptoWall ransomware.
The level of sophistication for the campaign increases as it has layers that attempts to avoid any kind of detection, according to Cisco’s TALOS security intelligence and research group.
The emails came from Yahoo addresses and researcher Brad Duncan from RackSpace tracked down the bitcoin address set up to receive whatever amount of funds they received from ransom demands.
Analysis of new emails leading to the same crypto-malware shows the operation is still active, researchers said.
The attack starts with an email message appearing to be a reply to previous communication about possible employment. In the attachment, it has an archived HTML file, which contains an iFrame that redirects to a compromised WordPress site. The redirect chain continues to a Google Drive account, where another ZIP file ends up located. That file has the CryptoWall ransomware inside.
Despite this complicated process, the return on investment does not seem to fit the effort of the operator. The bitcoin address identified by Duncan showed it had two transactions, the funds received being just over 3 bitcoins ($700).
In a single day, the researcher found 14 emails carrying an HTML that led to downloading CryptoWall from three different URLs associated with Google Drive cloud storage service.
At the time of the analysis, the crypto-malware variant ended up detected by 13 antivirus scanners on VirusTotal. A new scan later on showed 36 AV scanners identifying the piece as malicious.