The notorious Reveton ransomware has been updated to steal passwords and credentials, according to researchers with security firm Avast.
This latest edition affects more than 110 applications and turns the victim’s computer into a botnet client. The malware also steals passwords from five crypto currency wallets, and its banking module is set to target 17 German banks. In all cases, Reveton contains a link to download an additional password stealer.
“Reveton [uses] one of the best password/credentials stealer on the malware scene today,” Avast reported in a blog post. “Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.”
Pony includes 17 main modules like operating system credentials, FTP clients, browsers, email clients, instant messaging clients, online porker clients and more than 140 submodules.
The new version of Reveton also has an upgraded lockscreen module. The authors of the malware divided the program into multiple threads, changed the encryption, saved the payload to registry and recreated communication with command and control servers.
“Reveton has also prepared another password stealer downloaded from the Papras family,” Avast researchers noted. “This malware is not as effective as the Pony but contains a powerful AV kill/disable function.”
According to Avast, the most common infection is via some well-known exploit kits, such as Fiesta, Nuclear and Sweet Orange.
In 2012, the FBI issued a warning about Reveton after complaints came pouring in to the Internet Crime Complaint Center about fake messages from the FBI demanding recipients pay a fine for visiting child pornography sites on the Web. Those that didn’t pay would have their computers locked. The ransomware scam demanded victims pay $200 to get control of their computers back.
“As we have shown, the high profits from the former Reveton model, unlocking the infected computer after the user pays a ransom, is not enough,” according to Avast. “Malware authors have decided to enter into a new black business area. Passwords to various systems and crypto currency wallets are a very lucrative commodity today. Some passwords (FTP, emails, IM…) are perfectly suited for spreading their malware and build stronger botnets.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
