Websites hosting adult content are usually the preferred target of cyber criminals as the quick click is predominant there. Such a website, Xtube, has been compromised and is serving exploits leading to all kinds of malware infections, including the infamous Cryptowall. Since Xtube is the 780th most visited website in the U.S. this matter is of great concern.
Flash vulnerability exploited to serve malware
According to Malwarebytes, the website hosts a neutrino exploit kit. In this case, hackers have directly injected the malicious code snippet into the website itself (dynamic injection using rotating domains). There are several redirectors used to navigate to the webpage containing the exploit. In the next step, unpatched Flash plug-ins are exploited and the malware is delivered.
Ransomware rises again
The file dropped is named Xtube.exe. When run, the malware extracts itself using explorer.exe and svchost.exe processes. It turns out the malware is actually Cryptowall 3.0 which locks the user’s files using an RSA-2048 encryption. As one would expect, after the encryption process, the ransomware demands payment through a tor network address.
Cryptowall and other ransomware variants have been a persistent threat in 2015 and are gradually becoming the favorite tools of cyber criminals worldwide. Since the actions of such threats are difficult to undo, users should always keep regular backups of their valuable files and documents to avoid falling into nasty circumstances.
The administrators or Xtube have been notified of the issue, and hopefully it will be resolved soon.
Have a nice (exploit-free) day!