martes, 25 de septiembre de 2012

Ransomeware Troyan - version intelecual property companies


The Ransomeware Troyan has been very popular lately known as "Police Troyan"  because after infection, user machine appeared locked showing a fake police webpage indicating that the user is suspected of certain crimes and his machine will remain locked until the payment of a penalty equivalent to certain amount of money.

At this time it was found a similar version of the Troyan Ransomeware with same fraud technique but this time pretending that victim has infringed some laws related to copyright and requesting payment of the appropriate sanction.

When user's computer has been infected, the Troyan redirects user navigation to the malicious URL:

hXXp://invalid-crew.com/start.php

This malicious script checks language settings that user has set on the browser to display a false webpage on user's language simulating the legitimate institutions of his country that are dedicated to protect copyright and intellectual property.

For Spanish users the Troyan redirect to the URL:

hXXp://invalid-crew.com/payz/iframe_ES.php

That will show the next screen simulating come from SGAE (General Society of Authors and Editors) – Spanish society



For Portugal:  hXXp://invalid-crew.com/payz/iframe_PT.php


For Italy:  hXXp://invalid-crew.com/payz/iframe_IT.php




For France:  hXXp://invalid-crew.com/payz/iframe_FR.php


For Germany: hXXp://invalid-crew.com/payz/iframe_DE.php


The domain invalid-crew.com is hosted on the IP 95.163.68.147 belonging to the IPS Digital Networks CJSC in Russia.

The Login screen to access Control Panel Ransomeware Troyan has been located at the addresses:

hXXp://invalid-crew.com/admin/login.php

And:

hXXp://invalid-crew.com/bull/login.php


Also has been located the control panel of BOTNET ZEMRA at:

hXXp://invalid-crew.com/abc/admin/


 This panel control 5384 infected user machines, there being a high percentage of percentage of Latinamerican users with compromised machines.

According to the statistics menu, bots malware spreading started on September 3, being the peak infections day September 5 with 2402 infected computers.




In the control panel it is also possible to follow downloads tasks of different malicious binaries on zombies computers.


 They are still active infection vectors of the Troyans:
  
hXXp://95.163.68.147/abc/rat.exe
hXXp://95.163.68.147/abc/rat1.exe
hXXp://95.163.68.147/abc/fud.exe
hXXp://95.163.68.147/abc/server.exe
hXXp://95.163.68.147/abc/cgg.exe

No hay comentarios:

Publicar un comentario

Nota: solo los miembros de este blog pueden publicar comentarios.