Incident Response, Malware, TDR

Reveton packaged with password stealer impacts users in U.S.

Security company AVAST has uncovered a variant of the screen locking ransomware Reveton that comes packaged with other dangerous malware, thus making for a significant new threat that is already impacting users in the U.S.

These days, ransomware is known for encrypting files on a system and demanding a cryptocurrency ransom. Reveton is known for freezing up computers, and then presenting users with a notification stating they have violated laws and must pay a fine in order to regain control of the machine.

This variant of Reveton continues to lock up computers – the ransom can be modified by the attackers – but also comes with the latest version of Pony Stealer, a dangerous malware known for stealing passwords, Jiri Sejtko, director of Viruslab Operations at AVAST, told in a Monday email correspondence.

Sejtko said Pony Stealer can decrypt passwords to plain text and is capable of affecting more than 110 applications, including Gmail, Outlook, and various other email, browser, RDP/VPN, instant messaging, online poker and other clients, tools and functions – most of which are highlighted in a Tuesday post.

“Stolen passwords and credentials are a very lucrative commodity,” Sejtko said. “They can be sold or be abused in terms of spreading spam, and can be used to build stronger botnets.”

The ransomware also features a cryptocurrency wallet stealer with imitation wallet login screens, a banker module, a payload stored to registry, new communications and major changes to malware code flow, as well as a second password stealer from the Papras family, which is known for being able to disable anti-virus, Sejtko said.

Reveton steals and decrypts passwords as part of its cryptocurrency and banking modules, Sejtko said. The cryptocurrency module goes after Bitcoin, BlackCoin, Darkcoin, Dogecoin, Litecoin and Vertcoin, according to the post. The banker module in the variant that AVAST researchers analyzed targeted 17 banks in Germany, but the list is based on geolocation, the post indicates.

“It [has] already [been] modified to target the U.S.,” Sejtko said. “German-speaking regions were actually not the most targeted, the most targeted country was Italy, then came the [U.S.].”

This variant of Reveton is typically being spread through the Fiesta Exploit Kit, Neutrino Exploit Kit, and Sweet Orange Exploit Kit, Sejtko said. A detailed explanation on removing the infection is included at the bottom of the post.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.