Kaspersky uncovered the complex infrastructure of Koler ransomware

Researchers at Kaspersky Lab issued a report on the Koler ransomware, which is targeting both Android devices and desktop browsers.

Experts at Kaspersky Lab published a report titled “Koler—The Police Ransomware for Android” that examines how bad actors behind the Reveton campaign have operated, Koler ransomware recently targeted Android users. The report on the Koler malware is more focused on the sophisticated infrastructure the Reventon team has used for its malicious campaign.

In May 2014, French researcher Kafeine, discovered new mobile ransomware named AndroidOS.Koler.a, the attack starts when victims will visit a pornographic website on their Android device, then they are redirected to a site which host a malicious .apk file used by criminals to lock the device’s screen and demands payment of a fee between $100 and $300.

Most of the visitors of pornographic website are from the US, a limited number of visits coming from the UK, Canada and Europe.

“Through these stats, we also confirmed that the campaign started in April 2014. At the time of our analysis, the landing website had received 196,619 visitors.”

Be aware, the installation of Koler ransomware is not automatic and requests victim intervention.

The malicious app requests for its installation a significant number of permissions, including the ability to access the Internet, read phone status and identity, to run at startup and to prevent the phone from sleeping.

July 23, something strange happened, the command and control server began sending uninstall commands to mobile devices infected by Koler malware. Only the mobile component used by Reventon team was apparently dismantled.

The expert noticed that while Koler ransomware is not a particularly complex malware, the infrastructure used for the criminal campaign is very versatile and complex.

“We believe this kind of infrastructure is a perfect example of how well prepared and dangerous these campaigns are. They are now targeting, but are not limited to, Android users. The attackers can quickly create a similar infrastructure thanks to its intricate automation, changing the payload or targeting different users,”“The attackers have also created many different ways of monetizing their campaign in a true multi-device schema.” states the report.

The distribution infrastructure used to spread the malware was far more complex than expected, it relies on a TDS (Traffic Distribution System) that targets both mobile devices and desktop visitor.

“That includes redirections to browser-based ransomware and the Angler exploit kit.” stated the report.

The experts uncovered another interesting feature implemented by the Reveton team, is the way it automated the creation of
new pornography sites and the redirection of traffic.

“They also used their malware as a service through an API to obtain new landing sites to distribute their browser-based ransomware and exploit kit websites.”

The network of porn websites is used by attackers to redirecting victims to the main controller domain of the campaign (videosartex[].us), which collects all the requests and redirects to either the mobile payload at the hxxp://video-porno-gratuit.eu, a browser-based ransomware site, or an Angler Exploit Kit site using the Keitaro traffic distribution system.

“We should keep in mind this [Angler] exploit kit is one of the tools of choice of Team Reveton. The use of Port 2980, which is not usual among other exploit kits, is one of the distinctive aspects of this exploit kit,”“The Angler exploit kit has exploits for Silverlight, Adobe Flash and Java. The use of Silverlight is quite common in Angler.” the report said.

Victims are advised not to pay the requested fee, who paid it never received an unlocking code or uninstall instructions.

“We believe this kind of infrastructure is a perfect example of how well prepared and dangerous these campaigns are. They are now targeting, but are not limited to, Android users. The attackers can quickly create a similar infrastructure thanks to its intricate automation, changing the payload or targeting different users. The attackers have also created many different ways of monetizing their campaign in a true multi-device schema.” closes the report.

Pierluigi Paganini

Security Affairs – (Koler, ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.