In my study of Reveton's distribution, I encountered only Blackholes and another not named exploit kit ( which is now only spreading Urausy ). FBI warned about Reveton being spread via Citadel.
In this illustration it's not Citadel, it's a Smoke Bot which is pushing the Reveton.
Not so far..cause we often see Citadel pushing Smoke Bot...so it's just a matter of order/preference of the Botnet operator
(note that the Smoke Bot we will study is pushing a LOT of stuff among which Andromeda, Citadel, and for Russia/Ukraine Carberp (sic) )
For those who do not want to waste 5 minutes looking at the Video :
 |
| Smoke Bot calling home |
 |
| Smoke Bot downloading Reveton Dll |
 |
| Reveton calling Home |
You can download the Fiddler Session of the Sakura Exploitation via CVE-2012-4681
The Smoke bot is : 49d2c90d7c1f2477f3fb3bd19b156047 (Download link)
The Reveton : 603c3b3ea9f14599e34802ebff2ca736 (Download Link)
 |
| This Reveton Sample Call to Home in ThreatExpert report |
Full pcap of the session (that include what you saw and other stuff)
See:
 |
| Some binaries inside the Pcap file |
f1425502e6a0058d2899a7b04e7f8cc5 (st77793)
3737f526fc7a897b5b46dd99833f54e9 (dex170)
