Lately I received multiple questions about connection between Reveton and Cryptowall.
I decided to have a look.
A search in ET Intelligence portal at domains from Yonathan's Cryptowall Tracker
ET Intelligence search on Specspa .com |
e2f4bb542ea47e8928be877bb442df1b 2013-10-20
A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)
ET Intelligence : e2f4bb542ea47e8928be877bb442df1b http connexions |
ET Intelligence : Associated alert pointing at Cryptowall. |
NSFW://www.threatglass .com/malicious_urls/sunporno-com
Himan EK dropping Cryptowall 2013-10-20 captured by ThreatGlass |
With the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :
(See : http://malware.dontneedcoffee.
Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :
http://malware.dontneedcoffee.
Interestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :
Flimrans US 2013-10-03 |
What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :
Flimrans ES 2013-10-03 |
The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).
Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.
[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]
The compromised server storing the first design Blob used by cryptowall used to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design). |
So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.
Files : Items mentionned here. (password is malware)
Read More:
HiMan Exploit Kit. Say Hi to one more - 2013-10-02
Flimrans Affiliate : Borracho - 2013-10-08