WOBURN, Mass. – A piece of malware thought effectively eradicated in July has returned even nastier than before, according to antivirus researchers at Kaspersky Lab.
The Koler ‘police’ ransomware, which originally targeted only mobile devices running the Android operating system, now also uses a previously hidden mechanism to infect desktop PCs running Windows. Introduced in April, the virus drops a browser-based ransom note and an exploit kit when end-users visit any of at least 48 malicious porn websites operated by Koler’s developers.
The malware became ineffective in late July when researchers located the command-and-control server and deactivated the delivery mechanism. Three days later, the cyber-criminals behind the attacks activated the previously hidden mechanism which employs and unusual scheme to scan victims’ systems and offer customized ransomware depending on location and device type. Like in the original scenario, as soon as the malware has downloaded, a message pops up on the user’s screen claiming the victim has accessed illegal pornography and must pay a fine of $100 to $300 in order to unlock the device.
The use of a pornographic network is no coincidence: Victims are more likely to feel guilty about browsing such content and pay the alleged fine demanded by the local “authorities.”
The ransomware selects one of several operating scenarios determined by criteria including geographical location, device configuration and installed software. Originally, Koler activated only when users intentionally downloaded and installed a mobile app called animalporn.apk. In its current incarnation, Koler uses a “drive-by” mechanism to install its payload on Windows-based PCs via any browser except Internet Explorer. The payload isn’t entirely effective, as the ransom screen is easily evaded by pressing alt+F4.
The scenario is scarier for users who run Internet Explorer. Via automatic browser redirect, Koler installs the Angler Exploit Kit, which invades Silverlight, Adobe Flash and Java. Kaspersky researchers said the exploit is fully functional but as yet delivers no payload; however, they expect Koler’s developers to activate a payload in the very near future.
“Of most interest is the distribution network used in the campaign,” Kaspersky Principal Security Researcher Vicente Diaz said. “Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again. We believe this infrastructure demonstrates just how well organized and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetizing their campaign in a truly multi-device scheme.”
Although Koler localizes in more than 30 countries, users in the U.S. compose the vast majority of the victims. Of the 200,000 visitors to the mobile infection domain since Koler’s appearance, 80 percent are U.S. based. Another 6.8 percent are located in the UK, followed by 3 percent in Australia, 2.8 percent in Canada, 1 percent in Saudi Arabia and 0.6 percent in Germany.
More Koler information and statistics are available on Kaspersky’s SecureList blog.
