In middle of may a new Ransomware appeared (or at least was spotted), pushed in a new Exploit Kit named Flimkit by Chris Wakelin.
Flimkit pushing Flimrans Encoded Payload in the Jar 404 Call back for stats |
Both were really tied, as Kore/Urausy could be or in a less obvious way Cool EK/Reveton.
Ransomware got refered to as : Flimrans
Nothing really new in the clothes...Same designs as the one used by Urausy back in September 2012
In middle of June it seems that the group switched to Styx
Styx Pushing Flimrans 2013-06-12 (same infection chain that we could see previously in Flimkit) |
Advert posted on 2013-07-10 for a locker in affiliate mode |
-----------Text of the Advert -----------
Локер/Locker
- Стабильность отстука и конверта
- Много стран
- Любая модель сотрудничества по чекам (НЕ ПРОДАЕТСЯ, только сотрудничество!)
- Имеется необходимый набор инструментов
- и др...
только в ЛС
-----------------------------------------------
- Stable installs rate and conversations
- A lot of Countries
- Choose your business model for Partnership
- We have all needed for work
- and more...
PM Only
----------------------------------------------
Few days later some numbers :
Update to Initial Advert |
------------------------------------------------------------------------------------------------
выложу немного строк по конвертам с различных источников и тематик трафика
Adult слитый с бирж
Микс US/EU - 40/60%
27339 955 (334/114/507) 694 (194/93/407) 72.67 % 0/261 1:28 / 1:39 $ 39799
Чистая US
19599 584 (580/1/3) 340 (337/1/2) 58.22 % 0/244 1:33 / 1:57 $ 33920
Микс US/EU - 50/50%
12955 328 (207/37/84) 223 (136/25/62) 67.99 % 0/105 1:39 / 1:58 $ 17345
Non Adult слитый с бирж
Микс US/EU - 50/50%
22337 239 (103/39/97) 150 (55/31/64) 62.76 % 0/89 1:93 / 1:148 $ 9592
Чистая US
8787 139 (136/2/1) 74 (71/2/1) 53.24 % 0/65 1:63 / 1:118 $ 7352
Installs | Checks(MP/Ukash/PSC) | Valid(MP/Ukash/PSC)% | Pending/Bad | Total Ratio/Valid ratio | Money
--------------------------------------------------------------------------------------------------
Note : Adult/Non Adult is distinction made on source of Traffic (would say : porn or no)
Strangely it's only since less than three weeks we are seing more and more of it.
Mainly pushed in Sweet Orange
but also in that new HiMan Exploit Kit.
Flimrans Pushed in Sweet Orange 2013-10-03 - Fiddler at the end. |
but also in that new HiMan Exploit Kit.
Flimrans pushed in HiMan EK 2013-10-02 |
Borracho.biz - Flimrans Affiliate Entrance |
borracho.biz
109.235.49.64
47869 | 109.235.48.0/21 | NETROUTING | NL | EXNW.COM | NETROUTING TELECOM
Borracho - News |
Novie filtri! | 2013-09-14 | 20:15 | |
---|---|---|
Kto slivaet k nam na exploit, pomimo bloka vseh ostalnih stran, krome spiska nije, dobavilis filtri po browseram i OS. Prinimautsa OS: Seven,XP,98,95,Vista,Eight tak je poka puskaetsa tolko browser IE. | ||
Blok stran | Exploit Countries Blocked. | 2013-08-03 | 16:04 | |
Kto slivaet k nam na exploit, seichas on prinimaet tolko eti strani: AR CA DA FR IT NO SE AT CH DE GB LU NZ SI AU CR ES GR LV PL SK BE CY EC HU MX PT TR BO CZ FI IE NL RO US Vse ostalnie strani blokiruutsa i ne schitautsa! Who send to our exploit, please send only these countries: AR CA DA FR IT NO SE AT CH DE GB LU NZ SI AU CR ES GR LV PL SK BE CY EC HU MX PT TR BO CZ FI IE NL RO US All other countries will be blocked and not counted! |
Note : I think "our Exploit" was Flimrans and they are now giving Sweet Orange Threads.
Sweet Orange Stats tied to a Thread pushing Flimrans. Beginning of October 2013 |
Borracho - Money Stats |
Borracho - Referral |
It's only an assumption. Didn't see it live.
Borracho - Config |
Borracho - Checks |
Yes...people are still falling for Ransomware...
Borracho - Files |
Borracho - Profile |
Borracho - Payments |
Default Design (if country not targeted - it's also one of the multiple Reveton US design)
Flimrans "Failover" Design |
US Design (it's also one of the Reveton US design)
Flimrans US Design - 2013-10 |
Flimrans ES Design - 2013-10 |
C&C: (c&c moved since HiMan EK post)
192.133.139.249
50245 | 192.133.136.0/21 | SERVEREL | US | SERVEREL.COM | SERVEREL
GET /xfczMgBpgmeyU1Xf3MxFA0jxz3aVLa4= HTTP/1.1
Host: opobokuku.de
Cache-Control: no-cache
50245 | 192.133.136.0/21 | SERVEREL | US | SERVEREL.COM | SERVEREL
GET /xfczMgBpgmeyU1Xf3MxFA0jxz3aVLa4= HTTP/1.1
Host: opobokuku.de
Cache-Control: no-cache
<edit1 2013-10-09>
Borracho moved or down just after publication of the post.
Flimrans C&Cs:
85.25.84.201 (cf af3750a4623d25c67b911562b99a9ee3 for instance)
8972 | 85.25.0.0/16 | PLUSSERVER | LI | INTERGENIA.DE | INTERGENIA AG
GET /tyjCGcRuh2eyU1Xf3MxFA0jxz3aVLa4= HTTP/1.1
Host: opobokuku.de
Cache-Control: no-cache
--
Host: ydomolyne.de (2013-10-14)
--
@kafeine Another Flimrans C&C: ycyrorezu.de on 198.27.109.127
— Maarten van Dantzig (@MaartenVDantzig) October 9, 2013
198.27.109.127
16276 | 198.27.64.0/18 | OVH | CA | OVH.COM | OVH HOSTING INC.
Files :
Here (Owncloud via goo.gl)
(2 SWO fiddler - 2 Anubis Cloud Analysis - 4 samples)