Behind the 'AndroidOS.Koler' distribution network

Our full Koler report (PDF) 

At the beginning of May 2014 a security researcher named Kaffeine made the first public mention of Trojan.AndroidOS.Koler.a, a ransomware program that blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device. It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen.

The malware displays a localized message from the police!

It has customized messages for the following countries:

Australia
Austria
Belgium
Bolivia
Canada
Czech Republic
Denmark
Ecuador
Finland
France
Germany
Hungary
Ireland
Italy
Latvia
Mexico
Netherlands
New Zealand
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Switzerland
Turkey
United Kingdom
United States

As of July 23, the mobile part of the campaign has been disrupted and the Command and Control server has started sending an "Uninstall" request to victims.

In this post, instead of focusing on the mobile application itself – we highlight some details at the end – we want to shed light on its distribution infrastructure.  An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. That includes redirections to browser-based ransomware and what we think is an "Angler" exploit kit distribution network.

The diagram below illustrates the bigger picture of the infrastructure used.

The main findings can be summarized as follows:

  • Distribution:      TDS (Traffic Distribution System)
  • Main controller:      video-sartex.us (TDS Controller)
  • Malicious porn sites (redirector):      49 domains detected
  • Exploit kit websites:      700+ URLs (200+ domains)
  • Browser-based screen-lock domains:      49 domains detected
  • Mobile infection domain:      video-porno-gratuit.eu
  • Mobile Current C2:      policemobile.biz.
  • Traffic: almost 200,000 visitors to the mobile infection domain
  • 80% of visitors from the US

The use of a pornographic network for this "police" ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one.

With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk.

This suggests the attackers could expand their campaign in the near future.

Mobile payload distribution

The mobile infection is triggered when the user visits specific pornographic sites from an Android device. Those sites are part of the distribution network created for this campaign and will redirect the victims to a landing page that contains an APK file called animalporn.apk.

All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK.

When visited, the website automatically redirects the user to the malicious application. The user still has to confirm the download and installation of the application on their device.

We were able to obtain the statistics showing the geographical distribution of visitors to this malicious site:

According to the same stats, we see that the campaign started and reached peak activity in April 2014.

Redirectors:  The malicious porn network

The pornographic sites of the network are not compromised sites. They all look the same, have the same HTML infrastructure and don´t provide their own pornographic material.

We identified a total of 48 domains in this porn redirecting network.

Almost all the websites used in this infrastructure were created using the same template – in many cases using templates from the legitimate site Tubewizardpro and Webloader for the external resources.

All the content (mainly videos and pictures) on these porn sites is loaded from external sources using Webloader.

Basically, all the porn sites redirect to the "controller" domain videosartex.us.

Videosartex.us then performs a redirect based on the parameter in the URL, the referrer, the user agent and the geographical location of the visitor's IP.

If the IP belongs to any of the 30 affected countries and the user-agent belongs to an Android device, the visitor is redirected to the APK at video-porno-gratuit.eu.

In other cases, the user is either redirected to a porn site on the network, to a screen-locker or to an exploit kit. The attackers use Keitaro TDS (Traffic Distribution System) to redirect users.

Non-mobile payloads

During our analysis we noticed that some domains showed ransomware-themed pop-ups to non-mobile victims. These additional servers are used when the controller (videosartex) detects the following two conditions:

  • The request contains no Internet Explorer user agent.
  • The request is from one of the 30 affected countries, but it doesn't contain an Android user agent.

In this case, the victim is redirected to any of the browser ransomware websites, while a blocking screen identical to the one used for mobiles is displayed on the victim's computer. There is no infection in this case, just a pop-up showing a blocking template.

The following images are examples of the headers used in the ransomware pop-ups:



Exploit kits

The redirection infrastructure used in this campaign contained one final surprise; redirecting visitors using Internet Explorer to sites hosting the Angler exploit kit, which has exploits for Silverlight, Adobe Flash and Java.

The following is an example of such a redirection:

We detected more than 200 domains used for hosting this exploit kit.

During our analysis, the exploit code was not fully functional and it didn´t deliver any payload.

Conclusions

Ransomware for mobile devices appeared on almost every prediction list for 2014. We are not dealing with the most advanced families here such as cryptolocker for Windows. The ransomware is fairly basic, but sufficient to annoy the victim.

Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again. Depending on a number of conditions, this second redirection could be to a malicious Android application, to browser-based ransomware or to a website with the Angler Exploit Kit.

We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *