![]() |
| One of the images in Urausy Design |
First
spotted by
Tachion (VT Profile) from Safegroup.pl and
soon after seen by
Malekal (VT Profile), Urausy is now showing its new clothes. New
(to me) targeted country : Croatia (HR)
![]() |
| Urausy colorfull refresh in one image |
The lock screen will appear more than 5 minutes after infection.
We can notice the logo of the
newly created EC3 (European Cybercrime Center)
There is no default country anymore. If your country is not targeted your computer won't be locked.
(more if it's locked, it will be unlock if computer is started with internet in a country not targeted)
They are still using targeted Antivirus logos.
You'll have Windows Logo if you have no antivirus otherwise you'll get the logo of your antivirus.
![]() |
| Antivirus or Windows logo placeholder |
The list is somewhat exhaustive :
![]() |
List of logos Urausy can use depending on
products installed on your computer
(stored in %temp% of infected computer) |
Here are most of the targeted design.
Australia :
![]() |
| Urausy AU 2013-02 |
Austria :
![]() |
| Urausy AT 2013-02 |
Belgium :
No design ? or me not able to get it.
Canada :
![]() |
| Urausy CA 2013-02 |
Croatia :
![]() |
| Urausy HR 2013-02 |
Cyprus :
![]() |
| Urausy CY 2013-02 |
Czech Republic :
![]() |
| Urausy CZ 2013-02 |
Denmark :
![]() |
| Urausy DK 2013-02 |
Finland :
![]() |
| Urausy FI 2013-02 |
France :
![]() |
| Urausy FR 2013-02 |
Germany :
![]() |
| Urausy DE 2013-02 |
Greece :
![]() |
| Urausy GR 2013-02 |
Hungary :
![]() |
| Urausy HU 2013-02 |
Italy :
![]() |
| Urausy IT 2013-02 |
Ireland :
![]() |
| Urausy IE 2013-02 |
Latvia :
![]() |
| Urausy LV 2013-02 |
Luxembourg :
![]() |
| Urausy LU 2013-02 |
Netherlands:
![]() |
| Urausy NL 2013-02 |
Norway :
![]() |
| Urausy NO 2013-02 |
Poland :
![]() |
| Urausy PL 2013-02 |
Portugal :
![]() |
| Urausy PT 2013-02 |
Romania :
![]() |
| Urausy RO 2013-02 |
Slovakia :
There should be a design that I was not able to gather.
Slovenia :
![]() |
| Urausy SI 2013-02 |
Spain :
![]() |
| Urausy ES 2013-02 |
Sweden :
![]() |
| Urausy SE 2013-02 |
Switzerland :
![]() |
| Urausy CH 2013-02 |
Turkey :
![]() |
| Urausy TR 2013-02 |
United Kingdom :
![]() |
| Urausy UK 2013-02 |
United States :
![]() |
| Urausy US 2013-02 |
I have the feeling that the team behind Urausy is also behind the Exploit Kit that Emerging Threats name Sibhost
(or if there are two teams they are really tied).
![]() |
| Sibhost login Screen |
![]() |
| One Sibhost pushing Urausy 2013-01-27 |
![]() |
| Sibhost pushing Urausy 2013-02-09 |
Sibhost was pushing Reveton only. When Urausy emerges it was on Sibhost only, showing bought/stolen design of Reveton. Only Urausy on Sibhost since then (but Urausy is now also pushed on many other exploit kits and in some botnets).
This feeling has been reenforced few days ago when i discovered that Urausy C&C redirectors were also Sibhost redirectors.
Read more :Urausy page on botnets.fr (you'll find all known design there)
Urausy has big plan for Europe - Targeting 3 new countries among which Norway ! 2012-09-22
Urausy improving its localization - A (the?) Gaelic Ransomware with Interpol impersonation as default landing 2012-09-15
Files : (samples + 4 fiddlers of Urausy Drop (2x Sibhost, 1NP, 1WH) )http://goo.gl/cnByK (Owncloud)
