|In Kovter NL Design|
Kovter is following Revoyem's path.
Double shock on victims and new targeted countries.
This evolution has been spotted by Rich from Malwarebytes
Malware-Ransomers Getting Very Sick. Now popping child porn links in browser before blocking computer! #ransomer
— Shadowwar (@RichardMatteo1) October 21, 2013
In this case the first part of the work (shocking victims with CP website) is not done by traffer/web redirection prior to infection, as some traffer for Styx Revoyem Thread were doing, but by the malware itself.
Kovter fiddler Trace
(Thx for comment pointint a non blurred zone)
I made a design gathering session. They dropped the Prism Theme for US and are back to former design :
|Kovter US - Default (failover) 2013-10-21|
They already added Germany at the end of September ( Spotted by Malekal on the 2013-09-29 )
|Kovter DE 2013-10-21|
|Kovter FR 2013-10-21|
|Kovter ES 2013-10-21|
|Kovter GB 2013-10-21|
|Kovter IT 2013-10-21|
|Kovter NL 2013-10-21|
|Kovter TR 2013-10-21|
Exploit Kit pushing it :
The fast moving Sakura (domains in .pl ) previously on
20860 | 184.108.40.206/17 | IOMART | GB | IOMARTHOSTING.COM | IOMART HOSTING LIMITED
16265 | 220.127.116.11/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.
30058 | 18.104.22.168/19 | FDCSERVERS | CZ | FDCSERVERS.NET | FDCSERVERS.NET
49981 | 22.214.171.124/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM
Sakura kovter CP Ransomware