The ransomware displays customized messages to victims from 30 countries
Kaspersky Lab has detected a hidden part of the malicious campaign which introduced Koler ‘police’ mobile ransomware for Android devices to the world in April 2014. This part includes some browser-based ransomware and an exploit kit. Since July 23 the mobile component of the campaign has been disrupted, as the command and control server started sending ‘Uninstall’ commands to mobile victims, effectively deleting the malicious application. However, the rest of the malicious components for PC users – including the exploit kit – are still active. Kaspersky Lab is keeping an eye on the malware, which was first described by a security researcher named Kaffeine1.
Those behind the attacks employed an unusual scheme to scan victims’ systems and offer customized ransomware depending on location and device type – mobile or PC. The redirection infrastructure is the next step, after a victim visits any of at least 48 malicious porno websites used by Koler’s operators. The use of a pornographic network for this ransomware is no coincidence: victims are more likely to feel guilty about browsing such content and pay the alleged fine from the ‘authorities’.
These porno sites redirect users to the central hub that uses the Keitaro Traffic Distribution System (TDS) to redirect users again. Depending on a number of conditions, this second redirection can lead to three different malicious scenarios:
Commenting on the new findings on Koler, Vicente Diaz, Principal Security Researcher at Kaspersky Lab, said: “Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again. We believe this infrastructure demonstrates just how well organized and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetizing their campaign income in a truly multi-device scheme.”
Among almost 200,000 visitors to the mobile infection domain since the beginning of the campaign, the majority are based in the USA (80% – 146,650), followed by the UK (13,692), Australia (6,223), Canada (5,573), Saudi Arabia (1,975) and Germany (1,278).
Kaspersky Lab has shared its findings with both Europol and Interpol, and is currently cooperating with law enforcement agencies to explore possibilities for shutting down the infrastructure.
Kaspersky Lab detects this ransomware as Trojan.AndroidOS.Koler.a.
The full report is available at securelist.com