The first wave of malware includes Pony, which steals usernames and passwords and sends the data to attacker-run C&C servers. Once armed with this data, the miscreants gain access to servers and CMS systems which broadly disseminates the malicious script.
Next, victims' web sessions are highjacked so they are brought to a variety of domains onto which the notorious, off-the-shelf exploit kit Angler is dropped. The kit – able to integrate zero-day vulnerabilities and a number of other exploits – then scans for flaws in Windows and other software that is not up to date. When it finds an entryway, Angler takes advantage to force-feed CryptoWall 4.0 into victims' systems.The assault reportedly originated from Ukraine and first infected computers in Denmark, but has spread beyond Europe.
Angler is particularly nasty as it can evade detection by traditional AV products.