2014-05-04 - Landscape

Police Locker land on Android Devices



The "Reveton team" has diversified its locking activity. The advert is old (2014-02-18) but i decided to write about it today as I found a TDS using almost all features proposed by this affiliate including the android locker.


Text of the Advert :
------------------------------------------
Microsoft Corporate Group

Sploit / Filtration System / Syslocker /CryptoLock /Block Android Mobile 

Предлагаем вам технические ресурсы и отличное решение для вашего adult и not adult трафика.

Предлагаем вам следующие услуги:

Использование нашей связки: (возможна аренда)
- единственное приватное решение с высоким пробивом
- обслуживание 24/7
- всегда чистые сплоиты и домены
- API и детальная статистика


Возможность использования наших скриптов для слива трафика:
- простое размещение в два клика
- предоставления API для генерации чистых доменов
- безопасное перенаправление, не подставляющее ваш сайт под удар антивирусов
- возможность установки на ваших серверах
- различные варианты размещения - баннеры, попандер, инжект в стандартные js библиотеки

Дополнительные услуги:
- флеш-баннер для установки на сайты
- патч штатных скриптов типа swfobject, jquery, etc..
- анимированные картинки со встроенным фреймом
В любом случае устанавливаются фильтры, адаптированные под выдачу связOK



* * * * * Syslocker * * * * *

Высоко прибыльный вариант для windows adult трафика

- большой диапазон принимаемых стран
- уникальное решение блокировки
- собственный обмен чеков по наилучшему курсу на рынке или выдача сырыми чеками
- постоянные чистки билда

* * * * * FAKE AV * * * * *

Самое лучшее решение для not adult трафика.

- высокое ратио
- уникальный дизайн, вызывающий доверие юзера
- грамотный развод на покупку подписки
- еженедельные выплаты
- подробная статистика
- своевременные чистки файла
- предоставление API

* * * * * Browlock * * * * *

Единственное решение, позволяющее конвертировать трафик Linux, MacOS и Windows

- не используется связка
- не требует дополнительных действий от юзера
- большой выбор стран для конвертации, включая арабские страны
- контроль за чистотой доменов и скриптов
- детальная статистика по браузерам
- возможность отсылки не уникального трафика на ваш URL

* * * * * Fake Codecs * * * * *

Слив трафика на наши fake codecs лендинг:
- высокий % загрузок без использования сплоитов
- загрузки идут со всех браузеров семейства Windows
- минимум абуз
- принудительно-добровольная форма установки кодеков
- adult/not adult дизайны
- постоянно чистое ехе


Контакт через ПМ.
------------------------------------------
Translated by Google as :
------------------------------------------
Microsoft Corporate Group

Sploit / Filtration System / Syslocker / CryptoLock / Block Android Mobile

We offer you the technical resources and a great solution for your adult and not adult traffic.

We offer you the following services :

Using our bundles : ( available for rent )
- The only private solution with high punching
- Service 24/7
- Always clean and sploitov domains
- API and detailed statistics


The ability to use our browser to drain traffic :
- Simple accommodation in two clicks
- Provide an API to generate net domains
- Safe redirection , not to expose your site under attack antivirus
- The ability to install on your servers
- Different types of accommodation - banners, popander , inject into standard js library

Additional services:
- Flash banner for installation on sites
- Patch staff browser type swfobject, jquery, etc ..
- Animated pictures with built-in frame
In any case, set filters , adapted to the issuance svyazOK



***** Syslocker *****

Highly profitable option for windows adult traffic

- Large range of host country
- A unique solution lock
- Own checks on the best exchange rate in the market or the issuance of raw checks
- Constant cleaning build

***** FAKE AV *****

The best solution for not adult traffic.

- High Ratio
- Unique design , credible nick
- Competent divorce to purchase a subscription
- Weekly payments
- Detailed statistics
- Timely file cleaning
- Providing API

***** Browlock *****

The only solution to convert traffic Linux, MacOS and Windows

- Do not use a bunch of
- Requires no additional action from the user
- Large selection of countries for conversion , including the Arab countries
- Purity test domains and browser
- Detailed statistics for browsers
- Not possible to send traffic to your unique URL

***** Fake Codecs *****

Draining traffic to our fake codecs Landing :
- High% of downloads without sploitov
- Download all browsers come with the Windows family
- A minimum of abuse
- Forced and voluntary form fitting codecs
- Adult / not adult designs
- Constantly clean exe


Contact via PM .
------------------------------------------

The group (individual?) that was behind the Nertra Ransomware which is now working as partner with Reveton has a TDS using almost all features :

If you land on it with Internet Explorer :
Angler EK --> Reveton.
Landing on Nertra Guys TDS redirecting to their Angler EK Thread dropping Reveton
Payload for instance :
d88c3f56565b18e95cf9bd0ebbd86d97

If you land on it with another Browser on Windows/Linux or Mac you get a Browlock :

Landing on Nertra Guys TDS redirecting to their Browlock  (By Reveton Team) Thread
Note that this one is going the awfull way in US (cf my last tweet) :


If you land on it with Android then you'll be redirected to a website that will push the download of the APK to the mobile without interaction. Note : no installation. User has to do an action. So it's Social Engineering.

Same TDS from Nertra actors pushing you on a Fake porn website (hosted on same IP as the TDS btw) which will drop an apk on the device.

The apk : fb14553de1f41e3fcdc8f68fd9eed831



Manually installing the dropped apk.
(Note the : prevent phone from sleeping :) )


Next step.
And here is what you'll get on reboot or if you manually launch this application from France :

Say Hello to Mr. Hollande and "Reveton" team on your mobile.
From United States :

Now Classic Ransomware Design in the US
(I checked to see if their was some CP for US there too. No)
Payment :
When you scroll down
(Note on Tablet this part will be on the Right as the page AutoScale)


Apktools on it.
./res/values/arrays.xml
Self-explanatory
http://pastebin.com/XTTH4P9q

Webview calling the Ransomware Design for NL.
It seems they are on that range :
94.228.208.227 --> 249
47869 | 94.228.208.0/20 | NETROUTING | NL | NETROUTING.EU | NETROUTING

I didn't try to dig and understand the data sent in the get call. (maybe IMEI, Mobile model etc..)
The locker is kind of effective. You can go on your homescreen but nothing else seems to work.
Launching Browser, callings Apps, or "list of active task" will bring the Locker back.

Recorded activity while trying to see how to get rid of it


I checked the design available are indeed those announced in the advert and are not worth being gathered as they are classic. (31 countries : AT - AU - BE - BO - CA- CH - CZ- DE - DK - EC - ES - FI - FR - GB - GR - HU - IE - IT - LV - MX - NL - NO - NZ - PL - PT - RO - SE - SI - SK - TR - US)

<edit1>
As per some request here are some design :
Koler.A NL
Whole page (i won't capture it for other countries is like)

NL - Full
NL on larger Screen

Koler.A - CH

Koler.A GB
Koler.A PL
Koler.A FI
Koler.A TR
Koler.A MX

Koler.A DE
Koler.A IE
Koler.A ES
Koler.A SK
Koler.A AU
Koler.A NZ
Koler.A SI
Koler.A RO
Koler.A PT
Koler.A NO

Koler.A LV

</edit1>

Files: AndroidLocker_2014-05-04.zip -  fb14553de1f41e3fcdc8f68fd9eed831
Note : e94467ac7e705cbd0cc31be624a88d5e is another one. Same threat. Same Affiliate. Other Actor (name was: BSplayer-latest-android.apk )

Read More:
Android Ransomware Predictions Hold True - 2013-09-11 - Roberto Sponchioni
Reveton planting "evidences" on "the crime scene" -  2013-12-04
Reveton "Spring Collection" is ... disappointing - New countries Targeted - 2013-04-02