2015-02-05 - Design Gathering

Reveton's design refreshed - Winter 2015

"Snipshot" of the Reveton DK design :)

Those days Reveton is mainly pushed on adult traffic via "standalone" CVE-2015-0311 flash (posing as advert) calling an Xtea encoded stream.

After not far from 2 years with the same design it's now showing some fresh clothes.
This might be connected with Green Dot’s decision to stop selling MoneyPak Cards

Here in one image :

Reveton all in one
2015-02-05
Bigger : http://i.imgur.com/rtt1Iue.jpg

Here is the USA and default one (when your country has no specific one)

Reveton - US - 2015-02
(without MoneyPak)

Sample provided at the end of the post.
Launched that way :
%systemroot%\\system32\\rundll32.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\7BCB6BAED.cpp,work

Startup shortcut properties

C&C (for what it's worth...)

162.244.35.192

14576 | 162.244.32.0/22 | HOSTING-SOLUTIONS | US | king-servers.com | Hosting Solution Ltd.

173.224.124.73

30083 | 173.224.112.0/20 | SERVER4YOU | US | hostingsolutionsinternational.com | Andriy Balytskyy

Reveton phone home
2015-02-05

Now find your country :
(Missing : BE, CY, GR, LT, LV, MT,NZ ,SK,RO)

Austria :

Reveton - AT - 2015-02

Australia :

Reveton - AU - 2015-02

Canada :

Reveton - CA - 2015-02

Switzerland :

Reveton - CH - 2015-02

Czech

Reveton - CZ - 2015-02

Germany

Reveton - DE - 2015-02

Denmark

Reveton - DK - 2015-02

Spain :

Reveton - ES - 2015-02

Finland :

Reveton - FI - 2015-02

France :

Reveton - FR - 2015-02

Great Britain :

Reveton - GB - 2015-02

Ireland :

Reveton - IE - 2015-02

Italy :

Reveton - IT - 2015-02

Luxembourg

Reveton - LU - 2015-02

Mexico :

Reveton - MX- 2015-02

Netherlands :

Reveton - NL - 2015-02

Norway :

Reveton - NO - 2015-02

Poland :

Reveton - PL - 2015-02

Portugal :

Reveton - PT - 2015-02

Sweden :

Reveton - SE - 2015-02

Slovenia :

Reveton - SL - 2015-02

Turkey

Reveton - TR - 2015-02

It seems design for Arabic countries did not change (yet?). See United Arab Emirates for instance :

Reveton - AE - 2015-02

Files : One sample. sha256: a519f7e944aa9f7553687993c20e3abca0e62fae3566ad5bb32d2d7961662e54
The Designs ( it's not a small amount of work, if you use, please credit your source)

Read more :
Reveton ransomware has dangerously evolved - 2014-09-19 - Avast

