The web server of Crystal Finance Millennium, a Ukraine-based accounting software firm, has been compromised and made to host different types of malware.
This time, fortunately, the attackers did not compromise the firm’s software and push out an update laden with malware. Instead, the compromised server only hosted the malware, and the company’s Web site served it.
Malware researcher Bart Blaze noted (and other researchers confirmed) that there were three different malicious payloads:
- A downloader called Smoke Loader (aka Dofoil)
- A banking trojan called Chthonic
- A piece of ransomware called PSCrypt, known for hitting Ukraine in the past.
The Bitcoin address to which the victims of the ransomware are instructed to send the ransom has received the first transaction on August 15, so it’s likely that the Crystal Finance Millennium server and site were compromised on that date or a bit earlier.
The CFM site is currently down, having been taken offline by the hosting provider, but Blaze says it’s a good idea not to download any software from the company until they explicitly say that they have cleared everything up.