Jump to content

Reveton ransomware has dangerously evolved


Recommended Posts

The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful.


The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer. This addition affects more than 110 applications and turns your computer to a botnet client.

Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.

Pony stealer module
Reveton uses one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.

The stealer includes 17 main modules like OS credentials, FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc and over 140 submodules.


OS functions:
Deep System Info, ScreenSaver password, LSA local, Windows passwords and certificates, RAS, ASP/.NET credentials, Groups passwords, Proxy, WinSocks, WinInet pipe etc.

FTP Clients:
32bit, BulletProofFTP, BitKinex, ClassicFTP, CoffeeCup, CoreFTP, CuteFTP, DOpus, ExpanDrive, FAR, FFFTP, FTPCommander, FTPControl, FTPExplorer, FTPRush, FTPUploader, FileZilla, FlashFXP, Fling, FreeFTP, Frigate3, LeapFTP, NetDrive, SecureFX, SmartFTP, SoftX, TurboFTP, UltraFXP, WS_FTP, WebDrive, WebSitePublisher, WinSCP, Windows/Total Commander

RDP/VPN Clients:
CiscoVPN, FreeCall, PC Remote Control, Remote Desktop Connection, WinVNC
Instant Messaging Clients:
AIM, AIMPRO, Astra, CamFrog, Digsby, Excite, Faim, GTalk, Gaim, Gizmo, ICQ2003, ICQ99b, IM2, JAJC, LiveMessenger, MSN, Miranda, MySpace, Odigo, PSI, PalTalk, Pandion, Pidgin, QIP, QIPOnline, R&Q, SIM4, Trillian, VypressAuvis, Yahoo

DialerQueen, EDialer, FDialer, MDialer, VDialer

Download tools:
Download Master, FlashGet, GetRight, Internet Download Accelerator

Online Poker Clients:
888Poker, AbsoluteCommon, AbsolutePoker, CakePoker, FullTiltPoker, PartyPoker, PokerStars, TitanPoker, UltimateBetPoker

Browser clients:
Chrome, Firefox, Flock, IE, Opera, Safari, SeaMonkey, Thunderbird, + Browser_History, Browser_Socks, System_Socks

Email Clients / Accounts:
Becky, Eudora, ForteAgent, Gmail, GroupMailFree, IncrediMail, MailCommander, Outlook, POPPeeper, PocoMail, Scribe, TheBat, Windows Mail, mail.ru

Crypto currency module
The crypto currency module steals passwords of the most widely used wallets. The malware can close QT wallets and imitate the login screen after the next execute.


List of wallets and crypto currencies:
*-QT wallets, Armory wallet, Electrum wallet, Multibit wallet, Multidodge wallet, Offspring wallet, BitCoin, BlackCoin, DarkCoin, DodgeCoin, LiteCoin, VertCoin

Banker module
The list of banks is based on geolocation. Our version includes 17 German banks. This module searches browser history and cookie files.


List of banks:
bank1saar.de, berliner-bank.de, comdirect.de, commerzbanking.de, cortalconsors.de, deutsche-bank.de, dkb.de, bawagpsk.com, fiducia.de, flessabank.de, gecapital.de, haspa.de, hypovereinsbank.de, norisbank.de, psd-bank.de, postbank.de, sparda.de

Lockscreen module
This part of Reveton malware has been upgraded, too. The authors divided the program into multiple threads, changed the encryption, saved the payload to registry, and recreated communication with C&C servers.


Reveton has also prepared another password stealer downloaded from the Papras family. This malware is not as effective as the Pony but contains a powerful AV kill/disable function.


Mysterious hashes
We found 2 md5 hashes hardcoded deep inside the Reveton payload. The first is used to verify the generated user ID. If it matches, the system does not send information about the infected computer. This probably protects the author while testing or developing malware. Unfortunately, the UserID calculation algo is too complex for hash cracking.
UsedID is MD5 hash of ({ComputerName}+{EnumDisplayDevices}+{HDD SerialNumber}) XOR 029Ah


The second hash is used for verification of the inserted unlock key (ukash/paysafe code). Reveton can be terminated if the MD5 hash of the inserted key is identical to the hardcoded one. We call it “Hash of master unlock key.”


Boot to another OS from USB flash disk or DVD.
Find suspicious .lnk file in Startup menu (explorer.lnk, system.lnk etc.)
Find path to malware binary at lnk file properities. (probably .cpp file)
Delete lnk file and malware binary from link path
Boot to your system and check which service reports an error
Remove that service from the system
Find “ACID” string in the registry and delete keys around (hex=78,01,…)
Change passwords for all accounts and online services!!!

* You can try to find RUNDLL32.EXE-*-F.txt file where all stolen passwords are stored.

Analyzed Samples:

Protect yourself with regular backups
The best protection against LockScreen or CryptLocker malware is frequent backups of all your important files, documents, and photos.

As we have shown, the high profits from the former Reveton model, unlocking the infected computer after the user pays a ransom, is not enough. Malware authors have decided to enter into a new black business area. Passwords to various systems and crypto currency wallets are a very lucrative commodity today. Some passwords (FTP, emails, IM…) are perfectly suited for spreading their malware and build stronger botnets.

Source: http://blog.avast.com/2014/08/19/reveton-ransomware-has-dangerously-evolved/

Link to comment
Share on other sites

  • Replies 1
  • Views 1.4k
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...