The notorious Reveton ransomware has been updated to steal passwords and credentials, according to researchers with security firm Avast.
This latest edition affects more than 110 applications and turns the victim’s computer into a botnet client. The malware also steals passwords from five crypto currency wallets, and its banking module is set to target 17 German banks. In all cases, Reveton contains a link to download an additional password stealer.
“Reveton [uses] one of the best password/credentials stealer on the malware scene today,” Avast reported in a blog post. “Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.”
Pony includes 17 main modules like operating system credentials, FTP clients, browsers, email clients, instant messaging clients, online porker clients and more than 140 submodules.
The new version of Reveton also has an upgraded lockscreen module. The authors of the malware divided the program into multiple threads, changed the encryption, saved the payload to registry and recreated communication with command and control servers.
“Reveton has also prepared another password stealer downloaded from the Papras family,” Avast researchers noted. “This malware is not as effective as the Pony but contains a powerful AV kill/disable function.”
According to Avast, the most common infection is via some well-known exploit kits, such as Fiesta, Nuclear and Sweet Orange.
In 2012, the FBI issued a warning about Reveton after complaints came pouring in to the Internet Crime Complaint Center about fake messages from the FBI demanding recipients pay a fine for visiting child pornography sites on the Web. Those that didn’t pay would have their computers locked. The ransomware scam demanded victims pay $200 to get control of their computers back.
“As we have shown, the high profits from the former Reveton model, unlocking the infected computer after the user pays a ransom, is not enough,” according to Avast. “Malware authors have decided to enter into a new black business area. Passwords to various systems and crypto currency wallets are a very lucrative commodity today. Some passwords (FTP, emails, IM…) are perfectly suited for spreading their malware and build stronger botnets.”