Reveton ransomware has dangerously evolved
The latest generation of Reveton, the infamous "police" lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer. This addition affects more than 110 applications and turns your computer to a botnet client.
Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.
Reveton use one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.
The stealer includes 17 main modules like OS credentials, FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc and over 140 submodules.
Deep System Info, ScreenSaver password, LSA local, Windows passwords and certificates, RAS, ASP/.NET credentials, Groups passwords, Proxy, WinSocks, WinInet pipe etc.
32bit, BulletProofFTP, BitKinex, ClassicFTP, CoffeeCup, CoreFTP, CuteFTP, DOpus, ExpanDrive, FAR, FFFTP, FTPCommander, FTPControl, FTPExplorer, FTPRush, FTPUploader, FileZilla, FlashFXP, Fling, FreeFTP, Frigate3, LeapFTP, NetDrive, SecureFX, SmartFTP, SoftX, TurboFTP, UltraFXP, WS_FTP, WebDrive, WebSitePublisher, WinSCP, Windows/Total Commander
CiscoVPN, FreeCall, PC Remote Control, Remote Desktop Connection, WinVNC
AIM, AIMPRO, Astra, CamFrog, Digsby, Excite, Faim, GTalk, Gaim, Gizmo, ICQ2003, ICQ99b, IM2, JAJC, LiveMessenger, MSN, Miranda, MySpace, Odigo, PSI, PalTalk, Pandion, Pidgin, QIP, QIPOnline, R&Q, SIM4, Trillian, VypressAuvis, Yahoo
DialerQueen, EDialer, FDialer, MDialer, VDialer
Download Master, FlashGet, GetRight, Internet Download Accelerator
888Poker, AbsoluteCommon, AbsolutePoker, CakePoker, FullTiltPoker, PartyPoker, PokerStars, TitanPoker, UltimateBetPoker
Chrome, Firefox, Flock, IE, Opera, Safari, SeaMonkey, Thunderbird, + Browser_History, Browser_Socks, System_Socks
Becky, Eudora, ForteAgent, Gmail, GroupMailFree, IncrediMail, MailCommander, Outlook, POPPeeper, PocoMail, Scribe, TheBat, Windows Mail, mail.ru
The crypto currency module steals passwords of the most widely used wallets. The malware can close QT wallets and imitate the login screen after the next execute.
*-QT wallets, Armory wallet, Electrum wallet, Multibit wallet, Multidodge wallet, Offspring wallet, BitCoin, BlackCoin, DarkCoin, DodgeCoin, LiteCoin, VertCoin
The list of banks is based on geolocation. Our version includes 17 German banks. This module searches browser history and cookie files.
bank1saar.de, berliner-bank.de, comdirect.de, commerzbanking.de, cortalconsors.de, deutsche-bank.de, dkb.de, bawagpsk.com, fiducia.de, flessabank.de, gecapital.de, haspa.de, hypovereinsbank.de, norisbank.de, psd-bank.de, postbank.de, sparda.de
This part of Reveton malware has been upgraded, too. The authors divided the program into multiple threads, changed the encryption, saved the payload to registry, and recreated communication with C&C servers.
Reveton has also prepared another password stealer downloaded from the Papras family. This malware is not as effective as the Pony but contains a powerful AV kill/disable function.
We found 2 md5 hashes hardcoded deep inside the Reveton payload. The first is used to verify the generated user ID. If it matches, the system does not send information about the infected computer. This probably protects the author while testing or developing malware. Unfortunately, the UserID calculation algo is too complex for hash cracking.
UsedID is MD5 hash of ({ComputerName}+{EnumDisplayDevices}+{HDD SerialNumber}) XOR 029Ah
The second hash is used for verification of the inserted unlock key (ukash/paysafe code). Reveton can be terminated if the MD5 hash of the inserted key is identical to the hardcoded one. We call it "Hash of master unlock key."
Try to break the hash, and help save infected computers.
* You can try to find RUNDLL32.EXE-*-F.txt file where all stolen passwords are stored.
Analyzed Samples:
209B606203E60B9C3ABDBB27D7F93A2D8A60A87C4AB2E7749A9522C17F4511F2
4998A47D1ECB8C80E3AC5BAF743E87CC3546322335EDF89CE4A9AB1EF5420F69
The best protection against LockScreen or CryptLocker malware is frequent backups of all your important files, documents, and photos. The most secure way is to backup to online storage or the cloud because some malware encrypts data on all connected devices, local network drives, and NAS servers. You can use our avast! BackUp solution for example.
As we have shown, the high profits from the former Reveton model, unlocking the infected computer after the user pays a ransom, is not enough. Malware authors have decided to enter into a new black business area. Passwords to various systems and crypto currency wallets are a very lucrative commodity today. Some passwords (FTP, emails, IM...) are perfectly suited for spreading their malware and build stronger botnets.
The avast! Malware Analyst Workforce is preparing a white paper with a lot of deep technical and reversing details. Stay tuned!
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
1988 - 2024 Copyright © Avast Software s.r.o. | Sitemap Privacy policy