2014-01-30 - Affiliate

Icepol ? Urausy via Opener XXX : a subaffiliate of BestSoft/BestAV


Bitdefender recently wrote about the seizure of a server used to distribute "ICEPOL trojan":
They wrote that it looks like a pyramid scheme as sample were downloaded from another server.

In the Hacker News :

ICEPOL Ransomware Servers seized by Romanian Police that infected 260,000 Computers 2014-01-29

 they talk about it as Reveton.

I had no plan to write about them but it looks like it's now time to do it.

From what i saw it was a SubAffiliate of BestSoft ( Urausy  and more but NOT REVETON) traffing on porn website and operating via Social Engineering (Fake Codecs) : Opener XXX by Sly VIP


Urausy Design last summer :

Urausy - Summer 2013
Note : Urausy and Sibhost are things from the past now. As Sakura (but totally unrelated), their last days were around middle of December 2013!

If you want to see traces of their activity in open source data  take a look at Malekal's list.
Here :
Opener XXX by MalwareDB from Malekal
Or at UrlQuery :

Opener XXX by Urlquery 
I didn't kept any fiddler of the infection.
Being able to wget the payload makes me lazy :)

The way distribution worked is explained by Bitdefender Labs.
From a user Point of view Malekal wrote also a nice review here (FR)

SocEng by those guys captured by Malekal in April 2013
It's Pure social Engineering. NO JAVA (...so NO CVE-2013-0422..despite what you can read in some paper)


 Administration Panel :
Opener XXX 2013-06-29
Opener XXX - Monthly Hits
by date - June 2013
Opener XXX - Monthly  install/earning
by date - September 2013


Opener XXX - Monthly Hits
by hours of the day
I think it's GMT+4 (not sure - was 10 am in France)
Opener XXX Monthly Hits by Country

Opener XXX - TDS
(list of pornwebsite for which they could activate the redirection
see files at the end )
Opener XXX - Activated with Country filtering on 2 websites



"There is no honor among thieves"

Opener XXX - 2 days of traffic by Members

Some of the 15000 referers...(see files at the end)



Opener XXX - Grand Total 2013-06-29
Sf3 paid mean money given by BestSoft

Opener XXX - Grand Total 2013-09-30
Files: In case someone wants it...some saved pages of the panel.


Read More :
Urausy is going Regional in United States - 2013-10-15
The missing link - Some lights on "Urausy" affiliate - 2013-05-29 <--  if you want to know more about the upper affiliate.
Urausy Ransomware - July 2013 Design Refresh - "Summer 2013 Collection" 2013-07-28
Urausy Lockscreen: Your computer will remain locked for 3 days, 11 hours and 20 minutes! - 2013-07-24 - Jaromir Horejsi - Avast
Urausy Ransomware - Arab world targeted 2013-04-06
Urausy: Colorfull design refresh (+HR) & EC3 Logo 2013-02-09

RANSOMWARE
Urausy Icepol MDN Opener XXX BestSoft Pro Sly Icepol Trojan Slyvip BestAV