Users redirected to domain controller then to location serving appropriate form of malware

Jul 28, 2014 15:05 GMT  ·  By

Researchers took apart the Koler designed for Google’s mobile platform and found an intricate distribution infrastructure that relies on a traffic distribution system (TDS), which aims at any other visitor, not just those using mobile devices.

The ransomware, detected by Kaspersky as Android.OS.Koler.a, is believed to have been operated by the same team behind Reveton, which is based on Citadel Trojan.

Based on the discoveries made by researchers from Kaspersky, the malicious file propagated to desktop and mobile device users through a well-thought distribution network, which allowed the threat actors to launch new campaigns automatically.

The entire process of infecting a device relies on a redirection chain that would end with the user being diverted to a location serving the malicious app installer (APK), which the security experts determined to resolve to an IP address from the Netherlands.

Victims would be steered to the rogue locations after landing on one of the 49 adult websites (all linking to external resources) identified by Kaspersky to be involved in the distribution of Koler.

They would all point to videosartex.us, the controller domain of the campaign, and from here, the victim would be steered towards the server of the malware appropriate for the operating system and device they ran.

According to Kaspersky, throughout the campaign (April 2014 – June 2014), most of the infected devices have been from the US (about 146,000), although infections have been seen in the United Kingdom (13,692), Australia (6,223), and Canada (5,573) as well.

The crooks created localized ransomware template messages for a total of 30 countries, so these are just the top four.

The entire scheme is quite complex compared to what researchers have seen in other malicious campaigns, since the crooks target both desktop and mobile device users.

“However, the distribution network used in this campaign is the most interesting part. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again according to several conditions. This second redirection could be to a malicious Android application, browser-based ransomware or to a website with the Angler exploit kit,” states the analysis report from Kaspersky.

Android.OS.Koler.a does not do any damage on an infected system because it does not feature encryption capabilities, such as the latest emerging threats.

It simply locks the device and displays a message claiming to be from a law enforcement agency from the victim’s country. Unlocking the Android can be done by paying the ransom fee, which is generally between $100 / €75 and $300 / €223.

Getting rid of the annoying message and gaining control of the device is not too difficult and Malwarebytes provides specific details to get the job done.