Lately I received multiple questions about connection between Reveton and Cryptowall.
I decided to have a look.
A search in ET Intelligence portal at domains from Yonathan's Cryptowall Tracker
|ET Intelligence search on Specspa .com|
A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)
|ET Intelligence : e2f4bb542ea47e8928be877bb442df1b http connexions|
|ET Intelligence : Associated alert pointing at Cryptowall.|
A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :
Himan EK dropping Cryptowall 2013-10-20
captured by ThreatGlass
With the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :
(See : http://malware.dontneedcoffee.
Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :
Interestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :
|Flimrans US 2013-10-03|
What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :
|Flimrans ES 2013-10-03|
The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).
Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.
[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]
|The compromised server storing the first design Blob used by cryptowall|
used to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).
So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.
Files : Items mentionned here. (password is malware)
HiMan Exploit Kit. Say Hi to one more - 2013-10-02
Flimrans Affiliate : Borracho - 2013-10-08