Reveton packaged with password stealer impacts users in U.S.

Share this article:
 Survey respondents praise, but neglect, continuous monitoring
Reveton typically locks up computers and presents users with a notification stating they broke laws and must pay a fine.

Security company AVAST has uncovered a variant of the screen locking ransomware Reveton that comes packaged with other dangerous malware, thus making for a significant new threat that is already impacting users in the U.S.

These days, ransomware is known for encrypting files on a system and demanding a cryptocurrency ransom. Reveton is known for freezing up computers, and then presenting users with a notification stating they have violated laws and must pay a fine in order to regain control of the machine.

This variant of Reveton continues to lock up computers – the ransom can be modified by the attackers – but also comes with the latest version of Pony Stealer, a dangerous malware known for stealing passwords, Jiri Sejtko, director of Viruslab Operations at AVAST, told in a Monday email correspondence.

Sejtko said Pony Stealer can decrypt passwords to plain text and is capable of affecting more than 110 applications, including Gmail, Outlook, and various other email, browser, RDP/VPN, instant messaging, online poker and other clients, tools and functions – most of which are highlighted in a Tuesday post.

“Stolen passwords and credentials are a very lucrative commodity,” Sejtko said. “They can be sold or be abused in terms of spreading spam, and can be used to build stronger botnets.”

The ransomware also features a cryptocurrency wallet stealer with imitation wallet login screens, a banker module, a payload stored to registry, new communications and major changes to malware code flow, as well as a second password stealer from the Papras family, which is known for being able to disable anti-virus, Sejtko said.

Reveton steals and decrypts passwords as part of its cryptocurrency and banking modules, Sejtko said. The cryptocurrency module goes after Bitcoin, BlackCoin, Darkcoin, Dogecoin, Litecoin and Vertcoin, according to the post. The banker module in the variant that AVAST researchers analyzed targeted 17 banks in Germany, but the list is based on geolocation, the post indicates.

“It [has] already [been] modified to target the U.S.,” Sejtko said. “German-speaking regions were actually not the most targeted, the most targeted country was Italy, then came the [U.S.].”

This variant of Reveton is typically being spread through the Fiesta Exploit Kit, Neutrino Exploit Kit, and Sweet Orange Exploit Kit, Sejtko said. A detailed explanation on removing the infection is included at the bottom of the post.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.