Russian Cyber-Crooks Run Tailored NSA-Related Ransom Malware Campaign

Blue Coat the IT security company has said that its security researchers recently studied one intriguing ransomware sample that possibly Russian Internet criminals operated. The malware was proliferated some weeks back when the PHP.net came under attack, published softpedia.com in news on November 5, 2013.

Threat Research Director Andrew Brandt from Blue Coat says the particular ransom malware performs quite a standard function. After blocking the user from accessing his PC, it threatens that he should pay certain monetary penalty because he allegedly accessed unlawful material through his system and that only then his device would be unblocked.

The malware, incidentally, has dual aspects worthy of note. One, it utilizes the data within the victimized end-user's sensitive folder profile for creating one tailored lock screen. Two, a misappropriation of United States NSA (National Security Agency), also referred to as Central Security Service, is carried out so the malware's activities appear credible.

The threat, which infects the PC, examines if the system is online, following which it figures out where the PC is located with the help of IP geolocation as well as MaxMind the service for Internet fraud identification.

Thereafter, it connects with one Russia-based server to dispatch it some data so in just few minutes, the malicious software loads huge encrypted information onto Xaraworkbook.us name of another server. This server, after 4 seconds, gives back certain things to the contaminated system.

Importantly, the ransom threat's lock screen contains that account's username which had the credentials that aided the infection.

Alongside these, there occurs post infection monitoring of Web-servers routinely that have typical URL creating algorithm-styled 18-22 character names. Like always after 12-hrs of preliminary contamination, the ransomware connects to its C&C system a total of 152 times that counts to approximately once every 5-mins.

These linkages are somewhat unlike the first connection, as they're Hypertext Transfer Protocol (HTTP) GET having one lengthy Uniform Resource Identifier URL string containing plentiful randomized numbers and letters.

And while all this happens, the pictorial of the malware's message includes the OS edition of the 32-bit Windows XP test-bed, despite which the cyber criminals' campaign dip.

» SPAMfighter News - 11/7/2013