More than 6000 Australians have been hit by new Koler 'police' ransomware which targets PCs as well as Android devices.
The ransomware displays a customised message for Australian users depicting key Australian authorities, including the Australian Federal Police (AFP); Australian Communications and Media Authority; Australian Crime Commission; and the Royal Australian Corps of Military Police.
Kaspersky Lab has detected a hidden part of the malicious campaign which introduced the Koler ‘police’ mobile ransomware to Android devices in April 2014.
The detections reveal parts which include some browser-based ransomware and an exploit kit, with 6223 Australian visitors to the mobile infection domain hit since the beginning of the campaign.
The figure places Australian users in third place for mobile payload numbers, behind the US and the UK.
Those behind the attacks employed an unusual scheme to scan victims’ systems and offer customised ransomware depending on location and device type – mobile or PC.
Redirection infrastructure is the next step, after a victim visits any of at least 48 malicious porn websites used by Koler’s operators.
Kaspersky Lab principal researcher, Vicente Diaz, said the distribution network used in the campaign was of most interest.
“We believe this infrastructure demonstrates just how well organised and dangerous this campaign is," he said.
"The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetizing their campaign income in a truly multi-device scheme,” Diaz said.
Dozens of automatically generated pornographic websites redirect traffic to a central hub using a traffic distribution system where users are redirected again.”
These pornographic sites redirect users to the central hub that uses the Keitaro Traffic Distribution System (TDS) to redirect users again.
Depending on a number of conditions, this second redirection three different malicious scenarios.
The first is the installation of the Koler mobile ransomware
The user still has to confirm the download and installation of the app – called animalporn.apk – which is actually Koler ransomware.
In the second scenario users are redirected to any of the browser ransomware websites.
A special controller checks whether the user agent is from one of 30 affected countries, the user isn’t an Android user, and the request contains no Internet Explorer user agent.
Read more: Microsoft previews Internet Explorer 10
If all these variables are met, the user sees a blocking screen identical to the one used for mobile devices.
In the last case users are redirected to a website containing the Angler Exploit Kit.
If the user uses Internet Explorer, then the redirection infrastructure used in this campaign sends the user to sites hosting the Angler Exploit Kit, which has exploits for Silverlight, Adobe Flash and Java.
During Kaspersky Lab’s analysis, the exploit code was fully functional.
However, it didn’t deliver any payload, but this may change in the near future, according to Kaspersky research.
Since July 23, the mobile component of the campaign has been disrupted, as the command and control server started sending ‘Uninstall’ commands to mobile victims, effectively deleting the malicious application.
However, the rest of the malicious components for PC users – including the exploit kit – are still active.
The malware was first described by a security researcher named Kaffeine.
Read more: Microsoft woos developers under the Silverlight
Kaspersky Lab has shared its findings with both Europol and Interpol, and is currently cooperating with law enforcement agencies to explore possibilities for shutting down the infrastructure.
