Australians are the third most-frequent victims of a new infection vector for 'Koler' ransomware, which emerged in April and was targeting both mobile and PC users with 'Australianised' content until it began uninstalling itself from infected mobiles this week.
Some 6223 Australians have visited Koler's infection domain since the campaign began, according to figures from Kaspersky Lab that put the country's mobile users in third place for mobile payload infection – behind the United States and United Kingdom.
Using what Kaspersky has called an “unusual” scheme, Koler scans victims' systems and customises its malware to suit a range of conditions and parameters. Visitors to one of at least 48 malicious, seeded pornography sites are redirected to a centralised hub that uses the Keitaro Traffic Distribution System to again redirect users.
Visitors to the Website may be automatically redirected to the malicious application – a file called animalporn.apk whose download must still be approved by the user – or sent to browser ransomware Web sites, or to a site hosting the Angler Exploit Kit, which can exploit Microsoft Silverlight, Adobe Flash and Sun Microsystems Java.
“Of most interest is the distribution network used in the campaign,” Kaspersky Lab principal security researcher Vincente Diaz said in a statement. “Dozens of automatically generated Web sites redirect traffic to a central hub using a traffic distribution system where users are redirected again.”
Where the Koler code detects the user is in Australia, the ransomware offers a customised message mentioning Australian authorities including the Australian Federal Police; Australian Communications and Media Authority; Australian Crime Commission; and the Royal Australian Corps of Military Police.
As of July 23, the mobile part of the campaign had been disrupted, and the ransomware's command-and-control server had been sending 'uninstall' requests to mobile victims that had previously been shown a message instructing them to pay from $100 to $300 to unlock the device.
Australia's particular susceptibility to such threats can be no surprise: recent OECD figures named Australia as the country with the world's second highest penetration of wireless broadband users, behind Finland and well ahead of both the US and UK.
The flexibility of Koler has many concerned that its authors, and others, will continue to find new ways of exploiting the growth in mobile usage.
“We believe this infrastructure demonstrates just how well organised and dangerous this campaign is,” said Diaz. “The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetising their campaign income in a truly multi-device scheme.”