Signed CryptoWall Distributed via Widespread Malvertising Campaign

Sep 28, 14 Signed CryptoWall Distributed via Widespread Malvertising Campaign

This evening, Barracuda Labs’ URL analysis system detected drive-by downloads originating from five Alexa top-ranked websites: hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com. Threatglass entries for these sites are available here, here, here, here, and here.

In every case, malicious content arrived via the site’s use of the Zedo ad network. Specifically, the following subchain is common to every site’s sequence of events.

<site index>
-> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js
–> hxxp://ss1[.]zedo[.]com/jsc/fst.js
—> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…>
—-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>

In the above subchain, ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content. The last site, xenon[.]asapparts[.]com, redirected to one of several different exploit kit-backed sites.

Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim’s system. The particular instance delivered via tonight’s campaign has a valid digital signature and appears to have been signed just hours before its distribution.

CryptoWall Certificate Information

Per the screenshot below, initial VirusTotal results indicated 0/55 detections.

CryptoWall VT

Those results have since improved, with additional tools now identifying the program as malicious. With any luck, the certificate used to sign the executable will be revoked soon.


  1. A client of ours got hit with a drive-by ad that I suspect was a part of this outbreak. I’m having trouble reproducing the attack, however, now that the ad providers, Google, etc have intervened. I’d like to be able to reproduce it to evaluate why the client system was vulnerable (there are old versions of frequently exploited plugins, UAC was disabled, and the user was running as a local admin). Are there any live samples still accessible out there?

  2. Kalman Dee /

    Comodo revoked a certificate on 14/08 after I contacted them (I have emails to prove it). Hopefully they didn’t issue more after that; but perhaps they did…