Locky ransomware is terug opnieuw, dit keer wordt verspreid door een nieuwe exploit kit, op basis van de eerder bekende Sundown. De nieuwe exploit kit is nagesynchroniseerd Bizarro Sundown en werd voor het eerst opgemerkt op oktober 5 and then again on October 19, as reported by researchers at TrendMicro.
Blijkbaar, the highest number of users infected by this campaign is currently found in Taiwan and Korea. The EK is a lot like its predecessor but with some improvements such as added anti-analysis features. Meer, the attack observed on October 19 altered its URL formal to imitate legitimate web advertisements. Researchers say that both versions were used in the ShadowGate/WordsJS campaign.
More about the ShadowGate campaign
First identified in 2015, the ShadowGate campaign targeted Revive and OpenX’s open-source advertising servers that have been locally installed. Once compromised, the servers act as gateways to the exploit kit for malware distribution. While the campaign was reportedly shut down in September this year, we found that it’s still alive and well, gebruik 181 compromised sites to deliver ransomware.
TrendMicro observed ShadowGate in September deploying the Neutrino exploit kit to drop a variant of Locky (the .zepto extension). Op oktober 5, the campaign switched to Bizarro Sundown. Twee weken later, in oktober 19, a modified version of Bizarro Sundown was detected.
A look into the latest attacks dropping Locky ransomware
There’s one particular interesting thing about these attacks and it’s that the number of infected machines drops to zero on weekends.
Researchers observed the ShadowGate campaign “closing their redirections and removing the malicious redirection script from the compromised server during weekends and resuming their malicious activities on workdays."
Victims of the campaigns are users in Taiwan and South Korea but also in Germany, Italië, en China.
What vulnerabilities are leveraged in the attacks?
The vulnerabilities deployed in the successful attack scenarios are CVE-2016-0189, CVE-2015-5119, and CVE-2016-4117:
The first version of Bizarro Sundown targeted a memory corruption vulnerability in Internet Explorer (CVE-2016-0189, fixed in May 2016) and two security flaws in Flash: een use-after-free kwetsbaarheid (CVE-2015-5119) and an out-of-bound read bug (CVE-2016-4117). The first of these was fixed more than a year ago (Juli 2015), with the second patched earlier this year (Mei 2016).
Bizarro Sundown’s second version only used the two Flash exploits.
To avoid malware infections, make sure that your system is protected at all times!
Spy Hunter scanner zal alleen de bedreiging op te sporen. Als u wilt dat de bedreiging voor automatisch verwijderd, je nodig hebt om de volledige versie van de anti-malware gereedschap kopen.Ontdek meer over SpyHunter Anti-Malware Tool / Hoe te verwijderen SpyHunter