Reveton Ransomware Adds Password Purloining Function

Author: Brian Donohue
minute read

The developers of Reveton have expanded that ransomware’s repertoire with a password stealing functionality, according to Stefan Sellmer at the Microsoft Malware Protection Center.

The developers of Reveton have expanded that ransomware’s repertoire with a password stealing functionality, according to new research.

Ransomware, sometimes called scareware, is a type of malware that locks down infected machines, offering to unlock them only after a fee has been paid. Oftentimes, the malware will presents a message on the screens of its victims, claiming that the user has committed some sort of infraction, and that a fine must be paid in order to unlock the machine. Of course, paying the fee generally accomplishes nothing.

Reveton is among the best-known ransomware strains. Microsoft first took note of the virus in January of last year. Oddly, Reveton started out as a password-stealer but quickly evolved into a piece of ransomware in May 2012, when we first wrote about it masquerading as a Justice Department violation in an attempt to extort $100 from victims, eventually prompting an FBI warning.

Those responsible for Reveton don’t develop their own exploits, but rather deploy kits like Blackhole and others in order to compromise target machines. Once the chosen exploit kit infiltrates its target, it installs the Reveton malware, which then phones home to its command and control server and begins extracting information about that system’s IP address, its Internet provider, country, and city, according to an analysis by Stefan Sellmer at the Microsoft Malware Protection Center

It also downloads a dynamic link library (DLL) in order to display lock screens on infected machines. Sellmer writes that once the screen is locked and the ransom note is displayed, the malware continues working in the background, requesting and installing a password stealer from its C&C.

The password stealer in the Reveton variant analyzed by Sellmer was capable of stealing passwords from “a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage.”

Reveton also has a built-in portable executable loader, which means that it can easily upload almost any DLL installed on its C&C server.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.