Malware News CryptXXX Ransomware Will Now Steal Your Passwords as Well

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
The most recent version of the CryptXXX ransomware came with lots of changes, among which the most important is an infostealer module that can dump and steal passwords from various applications on the infected machine.

Called StillerX, this module was seen part of CryptXXX starting with version 3.100, detected by Proofpoint for the first time on May 26.

The US security firm says that this new CryptXXX version comes with lots of new features, but StillerX makes it more dangerous than before.
CryptXXX adds password dumping and data exfiltration features
StillerX works just like classic password dumpers, also known as infostealers. These types of malware are specifically designed to attack the internal databases of several software packages, extract encrypted or cleartext passwords, and then send them to an online server.

CryptXXX's StillerX module is capable of targeting all sorts of software, such as browsers, download managers, email clients, FTP software, IM applications, poker apps, proxy clients, VPNs, dialer credentials, and passwords stored in WNetEnum's cache and Microsoft's Credential Manager.

Users can detect a CryptXXX ransomware infection that comes with StillerX by the presence of the "stiller.dll," "stillerx.dll" and "stillerzzz.dll" files on their systems.

Proofpoint says that there are clues in StillerX's code making them believe the module could be used as a standalone, without CryptXXX.

Other new changes in CryptXXX 3.100
Besides the ability to steal your passwords for future cyber-attacks, CryptXXX also changed its decryption website. The portal received a facelift and now features new graphics.

Until now, the ransomware used the same user interface as the CryptoWall ransomware.

Last but not least, CryptXXX is now also capable of searching for network-connected drives and infect the files it finds on those partitions as well. The ability to search and infect network drives has been seen in several ransomware families in recent weeks and seems to be a natural course of evolution for most of these threats in an attempt to maximize their impact and force victims to pay the ransom.

After CryptXXX had appeared this April, Kaspersky managed to crack CryptXXX 1.x and then CryptXXX 2.x. CryptXXX 3.100 is once again undecryptable, breaking the Russian company's free decryption tool.
 

soccer97

Level 11
Verified
May 22, 2014
517
The most recent version of the CryptXXX ransomware came with lots of changes, among which the most important is an infostealer module that can dump and steal passwords from various applications on the infected machine.

Called StillerX, this module was seen part of CryptXXX starting with version 3.100, detected by Proofpoint for the first time on May 26.

The US security firm says that this new CryptXXX version comes with lots of new features, but StillerX makes it more dangerous than before.



Another reason for a password manager. Preferably one who provides you the ability to use a virtual keyboard and more inportantly to revoke permissions from certain devices from their online portal site. That way, you could immediiately lck your password valut - or go on your phone and block the device from access. Not 100% foolproof, but it's a workaround. Never trust Built in Password browser auto-fills. There have been too many vulns.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top