Another Ukrainian software maker’s site compromised to spread malware

The web server of Crystal Finance Millennium, a Ukraine-based accounting software firm, has been compromised and made to host different types of malware.

The discovery of the compromise was accompanied by fear that there could be a repeat of the destructive NotPetya attack, which was traced back to hacked servers of Ukrainian software maker MeDoc.

This time, fortunately, the attackers did not compromise the firm’s software and push out an update laden with malware. Instead, the compromised server only hosted the malware, and the company’s Web site served it.

The attackers also sent out phishing emails to a variety of targets. The emails included a zipped JavaScript file that, once run, would download the actual malware from the Crystal Finance Millennium site.

Malware researcher Bart Blaze noted (and other researchers confirmed) that there were three different malicious payloads:

• A downloader called Smoke Loader (aka Dofoil)
• A banking trojan called Chthonic
• A piece of ransomware called PSCrypt, known for hitting Ukraine in the past.

The Bitcoin address to which the victims of the ransomware are instructed to send the ransom has received the first transaction on August 15, so it’s likely that the Crystal Finance Millennium server and site were compromised on that date or a bit earlier.

The CFM site is currently down, having been taken offline by the hosting provider, but Blaze says it’s a good idea not to download any software from the company until they explicitly say that they have cleared everything up.