2013-12-04 - Evolution

Reveton planting "evidences" on "the crime scene"

Fast post on last Reveton move. Thanks @MalwareSigs & @Ash4er for inputs :)

Reading Lavasoft Security Bulletin: November 2013 I saw a Ransomware design that was new to me. Lavasoft was associating it to : 908478d1f1faa539f228bbe4fcf23b6d which appears to be Reveton.

I decided to gather that Design. And end up with a slightly different one. :

Reveton - US/Fall Back Design - 2013-12-03
Blurred are Porn Images.
Going on "Unlock Instructions" you'll get :

Reveton - US/Fall Back Design - 2013-12-03
Note the NSA involvement and the Prism Logo :)

Prism Logo in a Reveton Design

That variant is a little dynamic. It starts with the upper "camera square" and the "Evidences" zone empty. But a scan is in progress, and images are rotating. You'll see images that you really own being scanned.

Scan in Progress

as soon as first pornographic image is supposedly found the square is filled with the Handcuff :)
(going to unlock instruction and back to "Offender Information" you'll have the Camera)

Portable Notepad++ splash screen (was stored in MyDocuments)
after 2 porn images being found.

at the end of the scan you are being shown why you should feel guilty. (5 images).
And...guess what...those images are indeed in your computer :


Pictures Folder

But...there is no clever trick to really spot Pornographic images. 

Reveton dll planting "Evidences" on the "Crime Scene"
The "evidences planting" does not add to the scam for sure (victim does not know about it) but the concept made me smile...
The new trick and most convincing part is your own images being showed in the scan process.
Photos of children...porn image...photos of GrandMa...other porn image... may increase conversion rate (% of victims falling to the scam)

Note that you can still land on those other Default/Us design. Am wondering if they are making some kind of study on how good design are.

Other Reveton Design for US/Default
For other countries didn't spot move. Still Stitur/Urausy design (with Camera and Handcuff Image on the left - (Urausy : On the right))

Reveton C&C ?

Reveton Calling Home 2013-12-04

Files:  2 samples here