We are all very familiar with URL shortening services, which are regularly used in Tweets and other social media. It is no secret that cyber criminals also use URL shorteners to aid them in achieving their objectives. URL shorteners are often used by cyber criminals to obfuscate redirects to malicious destinations.
Recently, a URL shortening service was used to shrink a dubious link, obfuscating a malicious destination:
46(dot)30(dot)45(dot)39/Statement.jpg
which was actually a malicious script dowloader “Statement.js”, dropping Cryptowall from
46(dot)30(dot)45(dot)39/yyo.w
Cryptowall is Ransomware which encrypts files on your computer and demands that a ransom be paid in order to receive instructions (private key) for decrypting your files (in this case, RSA-2048 encryption was used).
Shortened malicious URL: [url]/1|Qblabla –> hxxp://46(dot)30(dot)45(dot)39/Statement.jpg = Statement.js (malicious script downloader).
Statement.js –> executable yyo.w (Cryptowall) from 46(dot)30(dot)45(dot)39/yyo.w
The URL shortener service disabled the shortened URL, but the IP identified was still serving up Cryptowall at the time of this write-up (Cryptowall file from 46(dot)30(dot)45(dot)39/yyo.w and subsequent communication shown above.
During post-infection, the victim is provided with details about what just happened, and a short explanation about encryption. They’re also given the steps needed to in order to get the files decrypted. Finally, they provided details about the specific homepage crafted for them and instructions for downloading and installing the Tor browser.
The text reads as follows:
Cannot find the files you need? Is the content of the files that you have watched not readable? Is it normal because the files names, as well as the data in your files have been encrypted. Congratulations!!! You have become a part of a large community #Cryptowall. Your files have been encrypted with 5he Cryptowall software; the instructions that you find in folders with encrypted files are not viruses, they are your helpers. After reading this text 100% of people turn to a search engine with the word Cryptowall where you'll find a lot of thoughts, advice and instructions. Think logically - we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them. Any of your attempts to restore your files with the third-party tools can be fatal for encrypted files. In case if these simple rules are violated we will not be able to help you and we will not try because you have been warned. For your attention the software to decrypt the files (as well as the private key that comes fitted with it) is a paid product. After purchasing the software package you can 1) Decrypt all your files 2) Work with your documents 3) View your photos and other media content 4) Continue your habitual and comfortable work at the computer
IP details:
IP Location: Russian Federation Russian Federation Moscow Eurobyte Llc
ASN: Russian Federation AS35415 WEBZILLA Webzilla B.V. (registered Aug 03, 2005)
Resolve Host: vz110372.eurodir.ru
Whois Server: whois.ripe.net
IP Address: 46.30.45.39
Reverse IP: 1 website uses this address.
Ransomware is nothing new but cyber criminals are constantly coming up with tradecraft to stay one-step ahead of of the security industry. This short blog is not meant to single out a specific URL shortener service nor is it meant to be a high-level analysis of Cryptolocker. This blog is more focused on arising awareness when dealing with shortened links.
There are precautions that can be taken to avoid clicking on a malicious shortened link, such as not clicking on a shortened link if you do not know who it is from. If you want to take additional measures, there are services that unshorten shortened URL’s such as
checkshorturl(dot)com
Furthermore, it is highly recommended that you use anti-virus and anti-malware in conjunction for the best possible protection. Malwarebytes Anti-Malware protects users from this attack, including blocking identified malicious IPs and domains associated with Ransomware.
Zynthesis
Wait, now I’m confused. I’ve heard of ransomware scams (scamsomeware?) where it’s like malicious JavaScript/a popup saying your computer has been locked to scare you into downloading their crapware/paying them/whatever but they haven’t actually touched your files (sort of like the fake virus warnings to scare people into downloading rogue AV software), and you can just get rid of it by force quitting your browser and making sure you don’t restore tabs/windows when you reopen it, but there are ones that actually encrypt your files? (sorry if this is a really dumb question.)
Yes, there are ransomware infections that infect your PC by encrypting your files like the one in this blog post above. On the other side there are fake warnings telling you that your PC is infected, trying to trick you to call a number so that their fake support team can help you, by showing you some errors that are actually normal on every computer. Such fake warnings often appear on compromised websites, so the only logical step is to close your browser.
Yes, they are pretty much all I deal with every day.
The objective of this threat vector/method (obfuscate the destination) is to use a service to shorten and obfuscate a malicious destination (URL), in this case containing a malicious down-loader that downloads the cryptowall ransomeware. That is why it is imperative that you do not click on shortened links unless you trust the source or unshorten the link to view the destination. Also ensure you are using anti-virus and anti-malware protection as well. This is still occurring, and I have analyzed several other ransomeware threats in the last few days that are using this same method via services that shorten URLs.