CryptXXX has yet again received new updates from its developers, giving the ransomware the capability to scan for network resources and encrypt its files as well as including a DLL malware that steals the user’s credentials and other related information.
Named CryptXXX 3.1, security firm Proofpoint reported that the ransomware now has a network scanning ability where files with extensions matching CryptXXX’s own list are queried, overwritten then encrypted with the .cryp1 extension. Proofpoint added that the malware’s scanning activity occurs on port 445, which is used for SMB (Server Message Block) and is mainly related to the Microsoft Windows Domain and Active Directory infrastructure. The firm further explained, “Infected machines were, in fact, scanning the /24 subnet of their local area network (LAN) in search of MS Windows shared drives. Further analysis demonstrated that this new version of CryptXXX was capable of finding shared resources on the network, enumerating files in every shared directory, and encrypting them one by one.”
Seeking to further monetize their operations, CryptXXX’s developers also added an information-stealing capability to the ransomware by installing a DLL file, named StillerX (referenced as Stiller.dll, Stillerx.dll and Stillerzzz.dll), to the infected device. Some of StillerX’s targets include web browsers' history and cookies as well as credentials from email, FTP, IM, VPN, remote administration software, poker game software and Microsoft Credential Manager.
The firm added, “While the stealer is always deployed by CryptXXX, it is possible that it could be used as a standalone tool (and it is likely that this same malware was distributed in Bedep campaigns between December and March). Alongside the credential grabbing functions, we found unused routines handling system fingerprinting and data exfiltration.”
Update: June 10, 2016
On June 6, researchers at the SANS Internet Storm Center discovered that the developers behind the revamped CryptXXX 3.100 switched its distribution from the Angler Exploit Kit to the Neutrino Exploit Kit. The switch is noteworthy because CryptXXX was previously only seen distributed by the Angler EK. The new move reportedly follows the resurgence of CryptXXX with a new encryption algorithm and the previously added information-stealing capability via a DLL file, StillerX. According to the SANS report, the Neutrino EK is characterized by how it targets the Java runtime environment, including certain versions of Java. “Last month, Neutrino EK was documented using Flash exploits based on CVE-2016-4117 effective against Adobe Flash Player up to version 184.108.40.206.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.