Reveton packaged with password stealer impacts users in U.S.

Share this article:
 Survey respondents praise, but neglect, continuous monitoring
Reveton typically locks up computers and presents users with a notification stating they broke laws and must pay a fine.

Security company AVAST has uncovered a variant of the screen locking ransomware Reveton that comes packaged with other dangerous malware, thus making for a significant new threat that is already impacting users in the U.S.

These days, ransomware is known for encrypting files on a system and demanding a cryptocurrency ransom. Reveton is known for freezing up computers, and then presenting users with a notification stating they have violated laws and must pay a fine in order to regain control of the machine.

This variant of Reveton continues to lock up computers – the ransom can be modified by the attackers – but also comes with the latest version of Pony Stealer, a dangerous malware known for stealing passwords, Jiri Sejtko, director of Viruslab Operations at AVAST, told SCMagazine.com in a Monday email correspondence.

Sejtko said Pony Stealer can decrypt passwords to plain text and is capable of affecting more than 110 applications, including Gmail, Outlook, and various other email, browser, RDP/VPN, instant messaging, online poker and other clients, tools and functions – most of which are highlighted in a Tuesday post.

“Stolen passwords and credentials are a very lucrative commodity,” Sejtko said. “They can be sold or be abused in terms of spreading spam, and can be used to build stronger botnets.”

The ransomware also features a cryptocurrency wallet stealer with imitation wallet login screens, a banker module, a payload stored to registry, new communications and major changes to malware code flow, as well as a second password stealer from the Papras family, which is known for being able to disable anti-virus, Sejtko said.

Reveton steals and decrypts passwords as part of its cryptocurrency and banking modules, Sejtko said. The cryptocurrency module goes after Bitcoin, BlackCoin, Darkcoin, Dogecoin, Litecoin and Vertcoin, according to the post. The banker module in the variant that AVAST researchers analyzed targeted 17 banks in Germany, but the list is based on geolocation, the post indicates.

“It [has] already [been] modified to target the U.S.,” Sejtko said. “German-speaking regions were actually not the most targeted, the most targeted country was Italy, then came the [U.S.].”

This variant of Reveton is typically being spread through the Fiesta Exploit Kit, Neutrino Exploit Kit, and Sweet Orange Exploit Kit, Sejtko said. A detailed explanation on removing the infection is included at the bottom of the post.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.