I had an interesting and I believe novel crytolocker campaign today. It started out with a lot of users receiving alleged copyright infringement notices, stating they had used copyright material in classroom environments (targeting .edu users, obviously)
The email had a .zip attachment, containing a PDF. A lot (maybe 5%) of recipients were suspicious and let us know, which initially made us think the campaign was a lot larger than we thought.
Running the .zip and .pdf through virustotal and malwr was puzzling though – no result at the time.
Opening the PDF I could see no network traffic. It just opened and displayed, albeit showing a warning about a missing font.
Initially we thought either highly advanced 0day, or bungling crooks who forgot to include exploit code, however we soon had a report of cryptolocked files that correlated with a received email. Further investigation and talking with other techs flagged the missing font, which lead to searching for that missing font:
So the exploit was actually in the font, which you had to google search to find!
Malwr failed opening the zip file. Not sure if this is by design or a happy coincidence for the malware writers. Virustotal finds the malware though.
I find this pretty cool – at a guess the font website with decent google rankings must have been compromised at some point, after which the PDFs were crafted with the missing font. Exploitation rate is obviously a lot lower since the end user has to be bothered to search and then install the font, but then again coverage was a lot higher, since mail filters did not block the clean pdf attachment. Also means we may see a lot more known sites compromised and used for this sort of thing, rather than just the /sd89dens/sd89dens.exe style cryptolocker URLs we’ve seen so far.
I think we may end up seeing a lot more like this (needless to say, I’ve now blocked the entire domain)