2012-09-19 - Evolution
Ransomware Casier - Sharing Design with Lyposit - Gaelic & Persian (?)
Malekal pointed me a new evolution in the french design of Ransom Casier.
Screenshot of a part of Malekal's Post |
Take a look at his post, it's showing one affiliate Panel that he was able to open. You'll see thats it's really different from the panel shown by Xylitol when he infiltrated the "Gangstaservice Winlock Affiliate"
In the past there was one server for all affiliates (as show by server folder tree + http calls) and illustrated by Xylitol. Now it looks like there is one server (or at least one vhost) by affiliate and a failover to master server (btw both seems not using same GeoIp Database). If you are interested in knowing more about that, you know how to contact me.
They are now using the same design (or should we say, the services of the same designer) as Lyposit.
Lyposit Designs (see Botnets.fr Lyposit page) |
Casier Designs (see Botnets.fr Casier page) |
Lyposit was trying to target Ireland (but failed) . It was targeting people with Irish keyboard with an Iranian design.
Lyposit IR Design |
It was a mistake ( misunderstanding ?? between designer and creator of the Ransom Affiliate - ir != ie).
Casier is successfully targeting Ireland :
IE Design for Casier (One more (the?) Gaelic Ransomware) |
Available Design for Casier |
Affiliate Panel (cf Xylit0l blog, link at the end) with IR confusion |
There is also a US design that was not available for Lyposit. It's obviously a different job.
Casier US Design |
Some Links :
Ransomware « Trojan.Casier » Panel - Malekal Morte - 2012-09-18
Gangstaservice Winlock Affiliate - Xylitol - 2012-08-01
Landings specific to Ireland (Landings_IE on Botnets.fr)
Lyposit page on botnets.fr
Casier page on botnets.fr
Goldenbaks page on botnets.fr (yes in my opinion it's the past of Casier)
<edit1 02/10/12> Add Panel screens with IR error</edit1>