In Kovter NL Design |
Kovter is following Revoyem's path.
Double shock on victims and new targeted countries.
This evolution has been spotted by Rich from Malwarebytes
Malware-Ransomers Getting Very Sick. Now popping child porn links in browser before blocking computer! #ransomer
— Shadowwar (@RichardMatteo1) October 21, 2013
In this case the first part of the work (shocking victims with CP website) is not done by traffer/web redirection prior to infection, as some traffer for Styx Revoyem Thread were doing, but by the malware itself.
Kovter fiddler Trace 2013-10-21 (Thx for comment pointint a non blurred zone) |
I made a design gathering session. They dropped the Prism Theme for US and are back to former design :
Kovter US - Default (failover) 2013-10-21 |
They already added Germany at the end of September ( Spotted by Malekal on the 2013-09-29 )
Kovter DE 2013-10-21 |
Kovter FR 2013-10-21 |
Kovter ES 2013-10-21 |
Kovter GB 2013-10-21 |
Kovter IT 2013-10-21 |
Kovter NL 2013-10-21 |
Kovter TR 2013-10-21 |
Files :
Sorry. Removed.
Exploit Kit pushing it :
The fast moving Sakura (domains in .pl ) previously on
78.129.143.10
20860 | 78.129.128.0/17 | IOMART | GB | IOMARTHOSTING.COM | IOMART HOSTING LIMITED
Now on
85.17.122.118:9716265 | 85.17.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.
50.7.193.124
30058 | 50.7.192.0/19 | FDCSERVERS | CZ | FDCSERVERS.NET | FDCSERVERS.NET
svoirdwiz .biz
svoirdwiz .org