Australians targeted by Koler mobile ransomware


By Dylan Bushell-Embling
Wednesday, 30 July, 2014

Australians targeted by Koler mobile ransomware

More than 6000 Australians have been exposed to a mobile ransomware known as Koler, which masquerades as a message from authorities including the police, Kaspersky resarch shows.

There have been 6223 Australian visitors to the mobile infection domain since the beginning of the ransomware campaign, according to Kaspersky Lab. This places Australian users in third place behind only the US and the UK for mobile payload numbers.

When victims visit any of 48 infected porn sites, the Koler culprits are able to scan victims’ systems and serve customised ransomware based on location and device type. The ransomware thus has both mobile and PC components.

For devices identified as being in Australia, the ransomware displays a custom message depicting logos from key authorities including the AFP, ACMA and the Australian Crime Commission.

If a mobile device is detected, the infected site automatically redirects the user to a malicious application. Users must still confirm the download and installation of the app, which is disguised as porn content but is actually the ransomware.

For desktop browsers, a controller checks whether the user is from one of 30 affected countries and is running Internet Explorer. If the browser isn’t running IE, the user is sent to a blocking screen identical to the one used for mobile devices.

If IE is used, the redirect sends users to sites hosting the Angler Exploit Kit, which has exploits for Silverlight, Adobe Flash and Java. At the time of analysis, the exploit code was fully functional but didn’t deliver a payload, Kaspersky Lab said.

“We believe this infrastructure demonstrates just how well organised and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users,” Kaspersky Lab Principal Security Researcher Vicente Diaz said.

The mobile component of the campaign has been disrupted since last week, but the malicious components for PC users are still active, he said.

Details of the campaign come a week after Fortinet warned that mobile ransomware has become a significant threat this year, with the first iOS ransomware and the first mobile ransomware that actually encrypts files both surfacing in the past few months.

Image courtesy of Lee Davy under CC 

Related Articles

Emergency onboarding: what to do before and after a data breach

Organisations that have an emergency onboarding plan are better positioned to have their business...

Savvy directors are demanding more points of proof when cyber incidents occur

Pre-agreement on what a post-incident forensics effort should produce — and testing it out...

Cyber-attack prevention is better than a cure

Corporate and political decision-makers need to invest in areas that do a better job of...

Content from other channels on our network

Comms Connect New Zealand returning to Christchurch

Govt audits national mobile coverage as Telstra extends 3G closure

The critical drive for technological innovation in emergency services

Command & Control Communications at the Heart of Utilities Worldwide

ARCIA's Sydney conference and networking dinner returns

F5 reaches Australian public sector milestone

RingCentral launches AI contact centre solution in Aust

Western Sydney councils' transport plan endorsed

Australian researchers launch global misinformation database

Broadcom revamps and simplifies VMware portfolio

Retailers caught selling unapproved electrical appliances

Ampcontrol and Siemens partner on renewable energy solutions

SA announces smart residential energy trial

Western Power welcomes new apprentices

Avoiding another Black Summer

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd