The developers of Reveton have expanded that ransomware’s repertoire with a password stealing functionality, according to new research.

Ransomware, sometimes called scareware, is a type of malware that locks down infected machines, offering to unlock them only after a fee has been paid. Oftentimes, the malware will presents a message on the screens of its victims, claiming that the user has committed some sort of infraction, and that a fine must be paid in order to unlock the machine. Of course, paying the fee generally accomplishes nothing.

Reveton is among the best-known ransomware strains. Microsoft first took note of the virus in January of last year. Oddly, Reveton started out as a password-stealer but quickly evolved into a piece of ransomware in May 2012, when we first wrote about it masquerading as a Justice Department violation in an attempt to extort $100 from victims, eventually prompting an FBI warning.

Those responsible for Reveton don’t develop their own exploits, but rather deploy kits like Blackhole and others in order to compromise target machines. Once the chosen exploit kit infiltrates its target, it installs the Reveton malware, which then phones home to its command and control server and begins extracting information about that system’s IP address, its Internet provider, country, and city, according to an analysis by Stefan Sellmer at the Microsoft Malware Protection Center

It also downloads a dynamic link library (DLL) in order to display lock screens on infected machines. Sellmer writes that once the screen is locked and the ransom note is displayed, the malware continues working in the background, requesting and installing a password stealer from its C&C.

The password stealer in the Reveton variant analyzed by Sellmer was capable of stealing passwords from “a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage.”

Reveton also has a built-in portable executable loader, which means that it can easily upload almost any DLL installed on its C&C server.

Categories: Malware