Cybercriminals have compromised the web server of a Ukrainian-based account
firm to host different types of malware used in ransoming targeted victims.
According to
security researcher Bart Blaze, Crystal Finance Millennium only had its server compromised to
host different types of malware while the company’s website served it.
The researcher identified three different
malicious payloads which are:
. A piece of ransomware called PSCrypt
. A banking Trojan called Chthonic
. A downloader called Smoke Loader (aka Dofoil)
The hackers sent out
phishing emails to various targets with hopes of compromising and ransoming
them. Blaze explained that content of the emails included a zipped JavaScript
file that once run, would download the real malware from the Crystal Finance
Millennium site and compromise the victims system.
A close look at the Bitcoin
address to which victims of the ransomware were to pay the ransom, reveals
that the address had its first transaction on August 15 which explains that the
Crystal Finance Millennium server and site were either compromised on that same
day or a bit earlier.
However, the accounting firm was fortunate
enough as the attackers did not compromise the firm’s software by pushing an
update heavily filled with malware.
So far, Crystal Finance Millennium has taken
the site offline and hopes to combat the issue so as to prevent further spread
of the malware.