Another Ukrainian software maker’s site compromised to spread malware

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The web server of Crystal Finance Millennium, a Ukraine-based accounting software firm, has been compromised and made to host different types of malware.

The discovery of the compromise was accompanied by fear that there could be a repeat of the destructive NotPetya attack, which was traced back to hacked servers of Ukrainian software maker MeDoc.

This time, fortunately, the attackers did not compromise the firm’s software and push out an update laden with malware. Instead, the compromised server only hosted the malware, and the company’s Web site served it.

The attackers also sent out phishing emails to a variety of targets. The emails included a zipped JavaScript file that, once run, would download the actual malware from the Crystal Finance Millennium site.

Malware researcher Bart Blaze noted (and other researchers confirmed) that there were three different malicious payloads:

  • A downloader called Smoke Loader (aka Dofoil)
  • A banking trojan called Chthonic
  • A piece of ransomware called PSCrypt, known for hitting Ukraine in the past.
The Bitcoin address to which the victims of the ransomware are instructed to send the ransom has received the first transaction on August 15, so it’s likely that the Crystal Finance Millennium server and site were compromised on that date or a bit earlier.

The CFM site is currently down, having been taken offline by the hosting provider, but Blaze says it’s a good idea not to download any software from the company until they explicitly say that they have cleared everything up.
 
  • Like
Reactions: shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top