2013-10-21 - Evolution

Kovter becomes even more abominable . Also add new targets.

In Kovter NL Design

Kovter is following Revoyem's path.
Double shock on victims and new targeted countries.

This evolution has been spotted by Rich from Malwarebytes

Malware-Ransomers Getting Very Sick. Now popping child porn links in browser before blocking computer! #ransomer
— Shadowwar (@RichardMatteo1) October 21, 2013

In this case the first part of the work (shocking victims with CP website) is not done by traffer/web redirection prior to infection, as some traffer for Styx Revoyem Thread were doing, but by the malware itself.

Kovter fiddler Trace

2013-10-21

(Thx for comment pointint a non blurred zone)

I made a design gathering session. They dropped the Prism Theme for US and are back to former design :

Kovter US - Default (failover) 2013-10-21

They already added Germany at the end of September ( Spotted by Malekal on the 2013-09-29 )

Kovter DE 2013-10-21

And now new design are : ES, FR, GB, IT, NL , TR

Kovter FR 2013-10-21

Kovter ES 2013-10-21

Kovter GB 2013-10-21

Kovter IT 2013-10-21

Kovter NL 2013-10-21

Kovter TR 2013-10-21

Files : ~~7 kovter samples (owncloud via goo.gl)~~
~~Disclaimer : You have been warned of what those samples are doing.~~
Sorry. Removed.

Exploit Kit pushing it :
The fast moving Sakura (domains in .pl ) previously on
78.129.143.10

20860 | 78.129.128.0/17 | IOMART | GB | IOMARTHOSTING.COM | IOMART HOSTING LIMITED

Now on

85.17.122.118:97
16265 | 85.17.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.

C&C :
50.7.193.124
30058 | 50.7.192.0/19 | FDCSERVERS | CZ | FDCSERVERS.NET | FDCSERVERS.NET
svoirdwiz .biz
svoirdwiz .org

<edit1 2013-11-27>
C&C
217.23.14.182
49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM

fz3omega.biz

</edit1>