Ransomware displays customised messages to victims from 30 countries
Mainly targeting visitors to porn sites, at least 48 such sites affected
KASPERSKY Lab said it has detected a hidden part of the malicious campaign which in April introduced the Koler ‘police’ mobile ransomware for Android devices to the world.
This part includes some browser-based ransomware and an exploit kit, the cybersecurity specialist said in a statement.
Since July 23, the mobile component of the campaign has been disrupted, as the command and control server started sending ‘Uninstall’ commands to mobile victims, effectively deleting the malicious application.
However, the rest of the malicious components for PC users – including the exploit kit – are still active. Kaspersky Lab said it is keeping an eye on the malware, which was first described by a security researcher named ‘Kaffeine.’
Those behind the attacks employed an unusual scheme to scan victims’ systems and offer customised ransomware depending on location and device type – mobile or PC.
The redirection infrastructure is the next step after a victim visits any of at least 48 malicious pornographic websites used by Koler’s operators.
The use of a pornographic network for this ransomware is no coincidence: Victims are more likely to feel guilty about browsing such content and pay the alleged fine from the ‘authorities,’ Kaspersky Lab said.
These porn sites redirect users to the central hub that uses the Keitaro Traffic Distribution System (TDS) to redirect users again, the company said.
Depending on a number of conditions, this second redirection can lead to three different malicious scenarios:
1) Installation of the Koler mobile ransomware
In case of mobile engagement, the website automatically redirects the user to the malicious application.
But the user still has to confirm the download and installation of the app – called animalporn.apk – which is actually Koler ransomware. It blocks the screen of an infected device and requests a ransom of between US$100 and US$300 in order to unlock it.
The malware displays a localised message from the ‘police,’ making it more realistic.
2) Redirection to any of the browser ransomware websites
A special controller checks whether (i) the user agent is from one of 30 affected countries, (ii) the user isn’t an Android user, and (iii) the request contains no Internet Explorer user agent.
If it’s ‘yes’ to all three, the user sees a blocking screen identical to the one used for mobile devices.
There is no infection in this case, just a pop-up showing a blocking template. However, the user can easily avoid the block with a simple Alt+F4 combination.
3) Redirection to a website containing the Angler Exploit Kit
If the user uses Internet Explorer, then the redirection infrastructure used in this campaign sends the user to sites hosting the Angler Exploit Kit, which has exploits for Silverlight, Adobe Flash and Java.
During Kaspersky Lab’s analysis, the exploit code was fully functional; however, it didn’t deliver any payload, but this may change in the nearest future.
“Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again,” said Vicente Diaz (pic)
, principal security researcher at Kaspersky Lab.
“We believe this infrastructure demonstrates just how well organised and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users.
“The attackers have also thought up a number of ways of monetising their campaign income in a truly multi-device scheme,” he added.
Mobile payload numbers
Among almost 200,000 visitors to the mobile infection domain since the beginning of the campaign, the majority are based in the United States (80% or 146,650), followed by the United Kingdom (13,692), Australia (6,223), Canada (5,573), Saudi Arabia (1,975) and Germany (1,278).
Kaspersky Lab said it has shared its findings with both Europol and Interpol, and is currently cooperating with law enforcement agencies to explore possibilities for shutting down the infrastructure.
Tips for users:
Remember that you will never get official ‘ransom’ messages from the police, so never pay them;
Don’t install any app you find while browsing;
Don’t visit websites you don’t trust; and
Use a reliable antivirus solution.
Fortinet warns of ransomware targeting mobile devices
Cybercriminals shifting to more deceptive tactics: Microsoft
Parents worried about online dangers, especially porn and social networks
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.