This article excerpt, written by Zeljika Zorz, originally appeared here: http://ow.ly/Mvv13
The latest Cryptowall-delivery campaign comes with an additional menace: the Fareit Trojan, which is designed to steal logins and passwords from compromised computers, download additional malware, and can be used in DDoS attacks.
The campaign takes the form of spammed out messages impersonating a job seeker who's sending in a resume. Judging by this, the malware peddlers have (temporarily?) decided to target companies.
The .ZIP file in question contains a JavaScript file (.JS), and this should raise some suspicion with the recipient. But, if it doesn't, and they open it, the file will connect to two URLs to download what seem to be two .JPG files.
But they are not images - they are actually executables, and are executed automatically once they are downloaded. One is a Cryptowall 3.0 variant - as deadly as previous versions - and the other is a Fareit Trojan variant.
The ransomware encrypts files (documents, databases, emails, images, etc.), deletes their shadow copies so that victims can't restore the files from them, and shows the ransom note asking for 500 euros or US dollars for the decryption key.
"While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets," note Trend Micro researchers.
