Clik here to view.
1940 IPs for a BHEK/ULocker server - Nexcess-Net
We all remember the hack of Cryptome.org back in February 13th 2012, redirecting 2900 visitors to a "/Home/" Blackhole Exploit kit. (No ? Read cryptome.org thread about that).Cryptome.org's post...
View ArticleClik here to view.
Urausy improving its localization - A (the?) Gaelic Ransomware with Interpol...
Urausy first appear at the end of July. It was just another Reveton "Me too" with a yellow square filled with a # instead of the "Camera" and targetting few countries : DE, ES, FR, UK, US (PT? see at...
View ArticleClik here to view.
Ransomware Casier - Sharing Design with Lyposit - Gaelic & Persian (?)
The Ransomware Casier (which is in my opinion the grand son of Goldenbaks ) has new clothes and it looks like the way affiliates are managed has changed too.Malekal pointed me a new evolution in the...
View ArticleClik here to view.
From Sakura to Reveton via Smoke Bot - Or a Botnet Distribution of Reveton
In my study of Reveton's distribution, I encountered only Blackholes and another not named exploit kit ( which is now only spreading Urausy ). FBI warned about Reveton being spread via Citadel.In...
View ArticleClik here to view.
Urausy has big plan for Europe - Targeting 3 new countries among which Norway !
After adding a default Interpol design and new countries BE, CH, FI, IE (the ? 'Gaelic Ransomware' ), LU, SE past week, Urausy is now showing dedicated clothes to 3 new countries:GR, DK, and NO (First...
View ArticleClik here to view.
Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit...
Available to its client since second week of september, the Blackhole Exploit Kit has been, according to Paunch, its coder, rewritten from scratch (<- You'll see all announced features here) . URL...
View ArticleClik here to view.
Redkit : No more money ! Traffic US, CA, GB, AU
It looks like "EULA" has changed for Redkit "customers" in the past 20 days, now you can't pay with money anymore for this "Exploit Kit as a Service".Lucky Luke - Go West ! (Turkish Edition)As written...
View ArticleClik here to view.
Update to Citadel : 1.3.5.1 Rain Edition.
A new version of Citadel has been announced : 1.3.5.1 Rain Edition.Aquabox postOriginal text of the advert : (Pastebin)Самые современные средства и инструменты для профессиональной работы собраны...
View ArticleClik here to view.
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a...
Just for the left panel Thumbnail :)Stats page titleSorry for the "read it live" post...the situation was moving while writing.Few days ago i discovered that a bunch of reverse proxies that I was...
View ArticleClik here to view.
Reveton Autumn Collection += AU,CZ, IE, NO & 17 new design
Cam on Reveton design (for the post's thumbnail :) )After launching what I think is its own new "Cool" Exploit Kit initiating a new way in browser exploit pack to drop payload ("Duqu-like" font drop),...
View ArticleClik here to view.
NeoSploit now showing "Blackhole 2.0 Like" landing pages
A short/fast post to answer some questions I got after my tweet about that :NeoSploit landings before : (note : am able to put a name on this Exploit Kit thanks to Kahu Security )NeoSploit...
View ArticleClik here to view.
Reveton += HU, LV, SK, SI, TR (!), RO - So spreading accross Europe with 6...
The guys behind the Reveton "Police Ransomware" are really active.After initiating the Cool EK, refreshing all design and adding 4 maybe 5 (AU,CZ, IE, NO, DK?) targets around 10 of October they are...
View ArticleClik here to view.
Cool EK : "Hello my friend..." CVE-2012-5076
If you follow this blog you'll get fast sick of Cool EK and Reveton.The Cool EK of Reveton distributors (yes it's also used by other groups, for instance the CBeplay.P ransomware distributors) is...
View ArticleClik here to view.
Meet CritXPack (Previously Vintage Pack)
CritXPackI first heard about this Exploit Kit through a tweet from Security Obscurity (Thanks ! :) )It was named Vintage Pack at that time :The enrollment form was simple :Vintage Pack form to...
View ArticleClik here to view.
CVE-2012-5076 - Massively adopted - Blackhole update to 2.0.1
CVE-2012-5076 is being adopted in a massive and fast way.We can see the same kind of spreading as for CVE-2012-4681 at end of August 12.---------------------------------------------------As expected...
View ArticleClik here to view.
Multi Locker (+updated ver.3) - Brief History and Inside view
There are many "locker kit" available in the underground. Most actives seems to be Silence WinLocker, ZOIE and a new comer fast updating : Multi LockerOriginal advert for Multi LockerText...
View ArticleClik here to view.
Reveton can speak now !
More than 24 hours without a new sample...detection for dropped Reveton growing to 11/43 on VirusTotal, something was happening for sure.And yes...After Silence Winlocker integrating sound (for...
View ArticleClik here to view.
Upas Kit (aka Rombrast) integrates webinjects
Announcement by AurorasText:------------------------webinjects завершено. завершается документация и подготовляем продукт к продажи. на этой неделе цена 2,000$ для модуля, на след недели 3,000$,...
View ArticleClik here to view.
Meet ProPack Exploit Pack - yes that's a lot of pack
Initial ProPack Exploit Pack announcement (20-10-2012)Text:------------------------------------------ProPack exploit pack - профессиональная связка в аренду на Вашем сервере.И так, мы рады представить...
View ArticleClik here to view.
Inside view of Lyposit aka (for its friends) Lucky LOCKER
The Lyposit Ransomware appeared wild in second week of September 3 days after this post :Lucky LOCKER advert (note the IR )------------------------------------------ Text of the Advert (click to...
View Article