Koler Ransomware Infrastructure Complex and Agile

Researchers at Kaspersky Lab report on the infrastructure supporting the Koler ransomware, which not only has components targeting Android devices, but also redirects desktop browsers to other ransomware and exploit kits.

While the Koler ransomware may be a simplistic money-generating malware scam, the infrastructure standing up its campaigns is anything but.

Researchers at Kaspersky Lab published a report today that not only explained details of how the attackers—possibly the group behind the Reveton ransomware—were until recently targeting Android users, but also how they’ve built an agile infrastructure that can be adapted to move in another direction and against other platforms.

“We believe this kind of infrastructure is a perfect example of how well prepared and dangerous these campaigns are. They are now targeting, but are not limited to, Android users. The attackers can quickly create a similar infrastructure thanks to its intricate automation, changing the payload or targeting different users,” the report “Koler—The Police Ransomware for Android” said. “The attackers have also created many different ways of monetizing their campaign in a true multi-device schema.”

Koler, uncovered in May by French researcher Kafeine, follows a typical ransomware pattern. Mobile users, in this case visiting a pornographic website on an Android device, are redirected to a site where a malicious .apk file awaits that locks the device’s screen and demands payment. However, as of July 23, the mobile part of the campaign has been taken down and the command and control server began sending uninstall commands to infected devices.

Koler distro network

There are also provisions for infecting desktop users. A main controller domain, videosartex[.]us, receives all requests from the porn sites in the campaign and redirects to either the mobile payload at the hxxp://video-porno-gratuit.eu, a browser-based ransomware site, or an Angler Exploit Kit site using the Keitaro traffic distribution system.

“We should keep in mind this [Angler] exploit kit is one of the tools of choice of Team Reveton. The use of Port 2980, which is not usual among other exploit kits, is one of the distinctive aspects of this exploit kit,” the report said. “The Angler exploit kit has exploits for Silverlight, Adobe Flash and Java. The use of Silverlight is quite common in Angler.”

The mobile campaign’s landing page has had more than 196,000 visitors with the most activity happening in April. Since June 1, Kaspersky researchers said, only one malicious .apk file has been active, and a number of others have been deactivated. Most of the visitors to the landing page, and assumedly the victims, are from the United States with fewer visits coming from the United Kingdom, Canada and Europe.

The attackers, the report said, are not compromising existing porn sites, but instead are automating the creation of new sites with links to external pornography sites that provide adult content to the this network and other legitimate networks.

“They also used their malware as a service through an API to obtain new landing sites to distribute their browser-based ransomware and exploit kit websites,” the report said.

As for the mobile campaign, the malicious .apk file, meanwhile, is not automatically downloaded or installed. The report said the victim visits a porn site which is part of a distribution network of 48 sites created for the campaign that redirects the device to the hxxp://video-porno-gratuit.eu domain where the .apk file awaits. The victim is tricked into downloading and running the app on his device. The malware then blocks the Android device and demands a fine of anywhere from $100 to $300, purportedly for viewing illegal material.

The malicious app gains a number of important permissions, including the ability to read phone status and identity, full network access, the ability to run at startup and to prevent the phone from sleeping. It connects to a command and control server at policemobile[.]biz (currently, this is the only mobile command domain that remains active) and sends the phone’s IMEI identification number to the attackers. On the server side, the code checks the location of the source IP address and sends back a region-specific blocking template and appropriate law enforcement message. Victims who do decide to pay the fine via either MoneyPak, Ukash or PaySafe, never receive an unlocking code or uninstall instructions, the report said.

Kaspersky researchers wrote that the infrastructure is flexible and automated to the point that the attackers can quickly shift gears.

“This campaign is all about the distribution infrastructure used, expanding the fraud to desktop users and using an exploit kit infrastructure to distribute malware,” the report said. “Because of this, attackers can very quickly create new campaigns in a highly automated fashion.

“This kind of campaign will be the norm in the future,” the report said.

Suggested articles