Cybercriminals have compromised the web server of a Ukrainian-based account firm to host different types of malware used in ransoming targeted victims.
According to security researcher Bart Blaze, Crystal Finance Millennium only had its server compromised to host different types of malware while the company’s website served it.
The researcher identified three different malicious payloads which are:
. A piece of ransomware called PSCrypt
. A banking Trojan called Chthonic
. A downloader called Smoke Loader (aka Dofoil)
The hackers sent out phishing emails to various targets with hopes of compromising and ransoming them. Blaze explained that content of the emails included a zipped JavaScript file that once run, would download the real malware from the Crystal Finance Millennium site and compromise the victims system.
A close look at the Bitcoin address to which victims of the ransomware were to pay the ransom, reveals that the address had its first transaction on August 15 which explains that the Crystal Finance Millennium server and site were either compromised on that same day or a bit earlier.
However, the accounting firm was fortunate enough as the attackers did not compromise the firm’s software by pushing an update heavily filled with malware.
So far, Crystal Finance Millennium has taken the site offline and hopes to combat the issue so as to prevent further spread of the malware.
0 comments:
Post a Comment