Australians targeted by Koler mobile ransomware


By Dylan Bushell-Embling
Wednesday, 30 July, 2014


Australians targeted by Koler mobile ransomware

More than 6000 Australians have been exposed to a mobile ransomware known as Koler, which masquerades as a message from authorities including the police, Kaspersky resarch shows.

There have been 6223 Australian visitors to the mobile infection domain since the beginning of the ransomware campaign, according to Kaspersky Lab. This places Australian users in third place behind only the US and the UK for mobile payload numbers.

When victims visit any of 48 infected porn sites, the Koler culprits are able to scan victims’ systems and serve customised ransomware based on location and device type. The ransomware thus has both mobile and PC components.

For devices identified as being in Australia, the ransomware displays a custom message depicting logos from key authorities including the AFP, ACMA and the Australian Crime Commission.

If a mobile device is detected, the infected site automatically redirects the user to a malicious application. Users must still confirm the download and installation of the app, which is disguised as porn content but is actually the ransomware.

For desktop browsers, a controller checks whether the user is from one of 30 affected countries and is running Internet Explorer. If the browser isn’t running IE, the user is sent to a blocking screen identical to the one used for mobile devices.

If IE is used, the redirect sends users to sites hosting the Angler Exploit Kit, which has exploits for Silverlight, Adobe Flash and Java. At the time of analysis, the exploit code was fully functional but didn’t deliver a payload, Kaspersky Lab said.

“We believe this infrastructure demonstrates just how well organised and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users,” Kaspersky Lab Principal Security Researcher Vicente Diaz said.

The mobile component of the campaign has been disrupted since last week, but the malicious components for PC users are still active, he said.

Details of the campaign come a week after Fortinet warned that mobile ransomware has become a significant threat this year, with the first iOS ransomware and the first mobile ransomware that actually encrypts files both surfacing in the past few months.

Image courtesy of Lee Davy under CC 

Related Articles

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

How AI can help businesses manage their cyber risks

Artificial intelligence can be a powerful ally in the fight against cyberthreats.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd