A low level attack transformed into a ransomware risk with a CryptoWall file encrypting tool, researchers said.
Bad guys, dubbed RuthlessTreeMafia, first ran an operation to defraud “pay-per-click” advertisers, said researchers at Damballa.
In this case, the bad guys rely on the Asprox botnet to deliver the initial payload, but exploit kits are also part of the package, the researchers said. Then access to the victim’s system ends up sold to other bad guys.
Damballa ran the RuthlessTreeMafia threat on their system and monitored the infection chain, which saw undeniable evidence of a click-fraud campaign, which ended with the delivery of CryptoWall.
“The RuthlessTreeMafia threat operators use a fast-flux infrastructure to deliver the Rerdom click-fraud malware to victims,” the researchers said in the report. “This Trojan utilizes a combination of downloader, information stealer, rootkit and search redirector with pop-up ads to obtain additional revenue for the criminal command and control (C&C) organization.”
After the initial download, multiple DNS queries go out to websites in Russia until one is resolved to emptyarray[.]ru. In the following 40 minutes, Damballa’s automated analysis system saw more than 900 connections to different domain names and spotted different threat groups, almost all of them engaging in click-fraud business.
However, during this activity, CryptoWall also went to the compromised system to encrypt files and demand payment of a ransom in exchange for decryption services.
Researchers said the device remains under criminal control and the click-fraud action continues for another hour, generating additional revenue for cybercriminals.
In the two hours until CryptoWall arrived, the infected system received three click-fraud malware pieces.
“The changing nature of these attacks, underscores the importance of being armed with advanced detection, to combat these more stealthy threats,” said Stephen Newman, CTO at Damballa. “As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click-fraud tale.”