The cybercriminal gang behind a dangerous ransomware attack, which locks victims out of their computer systems and scams them by demanding cash to fix the problem, has added password-stealing functionality to the malware, according to Microsoft researchers that have documented some of the latest attacks.
Reveton, a popular ransomware campaign behind the Citadel banking Trojan, has been increasingly detected in infections globally. Reveton is included in a number of automated attack toolkits, including the popular Black Hole toolkit, said Stefan Sellmer, a researcher with Microsoft's Malware Protection Center. In his analysis of the attack, Sellmer wrote that the Reveton authors are using password-stealing Trojans to monetize the threat when victims fail to pay the ransom.
"Our advice is, before you become a victim of the Reveton infection, spend a few minutes to eliminate possible infection vectors by updating software components which are targeted by drive-by downloads," Sellmer wrote. "You should install all the relevant Microsoft security updates and update browser plug-ins like Java and Flash Player."
The ransomware attack targets vulnerabilities in Microsoft Office, Internet Explorer as well as browser components such as Adobe Flash and Java. In January, the cybercriminals behind Reveton quickly incorporated an exploit targeting a flaw in Oracle Java 7, logging hundreds of thousands of infections.
Victims are typically infected when visiting an attack website, but the attack also has spread in phishing messages containing malicious attachments. The campaign has been successful and has even caught the eye of the FBI, which issued an advisory about attacks in November. The FBI warned of the gang's new extortion technique, which locks up a victim's computer screen and displays a phony warning that a federal law has been violated.
Security experts say that software vulnerabilities, configuration weaknesses and stolen passwords are the biggest problems facing enterprises and computer users. Passwords are highly coveted, according to research by Microsoft, because attackers can easily gain access to corporate networks and appear to be valid users. The Reveton cybercriminals have the attack down to a science, according to Sellmer, uploading location information on victims' systems to a remote command and control server. Reveton "can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and email clients, as well as passwords stored by browsers and in protected storage," Sellmer wrote.
Reveton also has been seen in connection with the Cool Exploit Kit, a more expensive toolkit designed to target zero-day vulnerabilities. The toolkit is apparently growing in popularity, incorporating attacks against flaws in Internet Explorer and Java. The automated attack toolkit contains more than six exploits.
PUBLISHED MAY 20, 2013