An attacker working off domains belonging to Chinese registrar BizCN has been moving the Cryptowall 4.0 ransomware via the Nuclear Exploit Kit.

In short order, the newest version of Cryptowall has begun showing up in exploit kits.

The SANS Internet Storm Center said on Tuesday that an attacker working off domains belonging to Chinese registrar BizCN has been moving the ransomware via the Nuclear Exploit Kit.

SANS ISC handler and Rackspace security engineer Brad Duncan said that until recently, Cryptowall 4.0 has been moved almost exclusively via malicious spam and phishing emails. He said this is the first time Cryptowall 4.0 has been infecting machines via an exploit kit.

“I’ve always expected 4.0 to spread and replace CryptoWall 3.0 in all areas. I noticed the same thing when CryptoWall 2.0 replaced the original CryptoWall in 2014. It didn’t happen immediately. It started with malicious spam and moved to exploit kits,” Duncan told Threatpost. “As criminals start delivering CryptoWall 4.0 through exploit kits, it won’t immediately happen with all exploit kits at the same time. You’ll start seeing it from one actor, then another, and another. At some point everyone will have moved to the new version.”

The attacker working from the BizCN domains recently switched IP addresses for their gate domians, which are intermediary servers between compromised websites and the server hosting the exploit kit. This actor, Duncan said, uses the Nuclear Exploit Kit to deliver malware.

“Gate servers can check for operating system or browser type from the user agent string in the HTTP headers sent by a potential victim. Depending on the user agent string, the Gate server will respond accordingly,” Duncan said. “With the BizCN gates, when the OS is not Windows, the gate server will respond with a ‘404 not found’ (no need to waste resources on a host that’s not vulnerable). If the user agent string shows a Windows host, the gate server will return a 200 OK, which will then generate traffic to an EK server.”

Duncan published an analysis today on the SANS ISC site that includes examples of URL patterns for BizCN gate traffic and other indicators of compromise. The move to Nuclear, Duncan said, won’t be exclusive; he expects other exploit kits, including Angler, to eventually redirect compromised sites their way. He also cautions that attackers will continue moving Cryptowall 4.0 via spam as well.

“They’re not moving from spam. We’ll still see CryptoWall 4.0 from malicious spam, even as we start seeing it more from exploit kits. This is just version 4.0 spreading and replacing version 3,” Duncan said. “Some criminal groups focus on malicious spam. Other groups use exploit kits.”

Cryptowall 4.0 surfaced earlier this month with updates that increase the difficulty of recovering files from compromised computers. Researchers at Bleeping Computer said the biggest change is that the ransomware now encrypts file names, in addition to data. The attackers also updated the ransom note victims are presented with to include mocking language that congratulates the victim for becoming part of the Cryptowall community.

Duncan also noticed some other subtle differences, including a change in the ransom note calling the ransomware Cryptowall not Cryptowall 3.0; also the malware does not check the IP address of an infected host as it had before.

“Network traffic for CryptoWall 4.0 looks nearly identical to what we saw with 3.0, except for an absence of an IP address check by the malware,” Duncan said. “At this time, the snort-based signatures I’ve seen for CryptoWall 3.0 callback traffic are still valid for 4.0.”