Koler campaign

During the past week, US users visiting adult-themed sites were targeted by ads for a fake PornHub app that contained a version of the Koler ransomware.

This particular ransomware appeared in 2014 when the operators of the Reveton Windows screen-locking ransomware decided to branch out and create an Android counterpart, which they began advertising on Russian-speaking hacking forums.

The Android version was a hit from the get-go, and it was one of 2014's most active Android threats, being detected in multiple campaigns during that year [1, 2, 3], including one that leveraged an SMS worm to automate and boost its infection process.

Because it was developed by the Reveton crew, Koler inherited the same tactics used by its Windows brethren, famous for locking people out of their computers and showing a police-themed message that asked people to pay a fine for viewing pornographic content.

New Koler campaign detected this past week

This extortion tactic was seen this past week by ESET security researcher Lukas Stefanko, who discovered an ongoing campaign that was pushing fake PornHub apps infected with the Koler ransomware, spread via shady adult-themed websites.

Users navigating to these sites were lured into downloading the fake PornHub app in order to view their desired pornographic content. At the end of this article, there's a list of URLs where the Koler group hosted their fake PornHub apps.

Users with devices that were configured to allow the installation of apps from third-party sources would be greeted by a screen as seen in the image "Step 1" below.

Step 1
Step 1
Step 2
Step 2
Step 3
Step 3

Here, the fake PornHub app would ask the user to allow the continuation of the installation process but would hijack the user's tap and grant itself admin rights. This method, known as clickjacking, is quite common in today's Android malware landscape.

In a private conversation, Stefanko told Bleeping Computer that Koler is one of the first Android ransomware threats that implemented and started using this technique a few years back.

Once the ransomware got admin rights, it used its new-found admin-level access to overlay its ransom note on top of the user's screen (Step 3).

The only way to remove this screen is to boot the device in Safe Mode, remove the ransomware's user from the admin group, and then uninstall the fake PornHub app.

Campaign was aimed only at US users

Previous versions of Koler came with support for geo-targeting, showing a ransom note in a different language based on the user's location.

Stefanko told Bleeping Computer that this particular Koler campaign targeted only US users, as the ransomware only included ransom notes with an FBI theme.

IOCs:

List of domains hosting fake PornHub apps infected with Koler:

http://cgzi47ylkk.greatgirlvideoprivate.site/1/pornhub.apk
http://sg75ivdk4y.greatgirlvideoprivate.site/1/pornhub.apk
http://sn7ilxxe6e.greatgirlvideoprivate.site/1/pornhub.apk
http://wnpklcejny.greatgirlvideoprivate.site/1/pornhub.apk
http://ctz5igyoqa.greatgirlvideoprivate.site/1/pornhub.apk
http://sgzi6bd7dx.greatgirlvideoprivate.site/1/pornhub.apk
http://cgzikaejqa.greatgirlvideoprivate.site/1/pornhub.apk
http://wtpku4pm76.greatgirlvideoprivate.site/1/pornhub.apk
http://sgzi6vsokn.greatgirlvideoprivate.site/1/pornhub.apk
http://wn7ikrn5np.greatgirlvideoprivate.site/1/pornhub.apk
http://cgziltnnft.greatgirlvideoprivate.site/1/pornhub.apk
http://sgziiiedxw.greatgirlvideoprivate.site/1/pornhub.apk
http://sn7iovdfjx.greatgirlvideoprivate.site/1/pornhub.apk
http://cg7iiaozm5.greatgirlvideoprivate.site/1/pornhub.apk
http://wg7k55xelw.greatgirlvideoprivate.site/1/pornhub.apk
http://wgpkufizsu.greatgirlsvideoprivate.site/1/pornhub.apk
http://wgz5jvn6r4.verygoodgirl.site/1/pornhub.apk
http://ctzkuefwmh.tubegirlsnight.us/1/pornhub.apk
http://cgpikxjnfi.greatgirlvideoprivate.site/1/pornhub.apk
http://cn7kibaxih.greatgirlvideoprivate.site/1/pornhub.apk
http://sgpk5y7ypy.greatgirlvideoprivate.site/1/pornhub.apk
http://cn7kujjni7.greatgirlvideoprivate.site/1/pornhub.apk
http://wn7iuedrcd.tubegirlsnight.us/1/pornhub.apk
http://cnpikvxtlg.greatgirlvideoprivate.site/1/pornhub.apk
http://cgz5lygeib.greatgirlvideoprivate.site/1/pornhub.apk
http://sgzi6fwsco.greatgirlvideoprivate.site/1/pornhub.apk
http://wt7kld7tbe.greatgirlvideoprivate.site/1/pornhub.apk
http://stp54mmmyj.greatgirlvideoprivate.site/1/pornhub.apk
http://ctpkjgx57k.greatgirlsvideoprivate.us/1/pornhub.apk
http://wgz5ltrkcv.greatgirlvideoprivate.site/1/pornhub.apk
http://wtzi6qs7mi.greatgirlvideoprivate.site/1/pornhub.apk
http://wtpiuoc5w5.greatgirlvideoprivate.site/1/pornhub.apk
http://ct75ircshb.greatgirlvideoprivate.site/1/pornhub.apk
http://stzi5sjxng.greatgirlvideoprivate.site/1/pornhub.apk
http://snzkocrf4v.greatgirlvideoprivate.site/1/pornhub.apk
http://ct7iownngf.greatgirlvideoprivate.site/1/pornhub.apk
http://snz5ofkfhe.greatgirlvideoprivate.site/1/pornhub.apk
http://wtzk4ud6ou.freenightbeautifulgirls.us/16/pornhub.apk
http://cn7ilfn6f6.greatgirlvideoprivate.site/1/pornhub.apk
http://st75jvjzpy.verygoodgirl.us/1/pornhub.apk
http://wg7k6efnfo.greatgirlvideoprivate.site/1/pornhub.apk
http://sg75odgcht.greatgirlvideoprivate.site/1/pornhub.apk
http://cnzklvjcz4.greatgirlvideoprivate.site/1/pornhub.apk
http://sgp5lglcyt.greatgirlvideoprivate.site/1/pornhub.apk
http://wtzilrzdid.greatgirlvideoprivate.site/1/pornhub.apk
http://wn7kkwe6ad.greatgirlvideoprivate.site/1/pornhub.apk
http://wn75iaacp4.greatgirlvideoprivate.site/1/pornhub.apk
http://cnpkogyv5l.greatgirlvideoprivate.site/1/pornhub.apk
http://sgziksgr4s.greatgirlvideoprivate.site/1/pornhub.apk
http://wnzik7rtf6.greatgirlvideoprivate.site/1/pornhub.apk
http://wgziuiihed.greatgirlvideoprivate.site/1/pornhub.apk
http://sgpiukh6bg.greatgirlvideoprivate.site/1/pornhub.apk
http://ctp56nuwwp.greatgirlvideoprivate.site/1/pornhub.apk
http://snzk5qrnrz.greatgirlvideoprivate.site/1/pornhub.apk
http://cgzikmdole.greatgirlvideoprivate.site/1/pornhub.apk
http://wt7kod6kwe.greatgirlvideoprivate.site/1/pornhub.apk
http://wnziibfza7.greatgirlvideoprivate.site/1/pornhub.apk
http://wn7i4kxwzp.greatgirlvideoprivate.site/1/pornhub.apk
http://cnpkjkxpdh.greatgirlvideoprivate.site/1/pornhub.apk

APK hashes:

50D39A1CF9478A820F9BD68DD3F0F8957EEC6B0A
9EF2343A3A57C3D4AD51EB49CF4C70336947E0FB
656C641838A7D027A72B5A2C5DA53DB491167CC7
1497BB2250733FAAFAB60DFEC4EEA4B2A8419E12
17C328098C47502D9ADCD5A755DEF8C240306126
8ACB1BDCE4B35825CB26547CEB2CCC9E8A968977
2B5BCD4DEBA93D4C085FDD291FB04874670F9B62
6A56C0B350AD90354742D36119AA635A376547C2
462468D031D287C2166AA7585B6CE7FA91AF47D7
05A2DCCFF1655030855A9A3F8A0641288E615A42
C51E0F502ECF8AA4C14677A03EA6FCF1CCF424EA
6035B88A34D3B21CAD35D190A8D40DCBDAFE4E6C
E1E33D0C080A3EADD7817ACF308F8822F56BBC66
AC7E2F0400212D3454C32CE763A5549B54F0D995
DB77EC7B760AF469E8A6E55EC7AB025F136D1FE1
7042DE2A10AE1C02D04EF3FAAA2A1AD0F8507822
D86F88A9ED4169783BB44730316EC20A3DB3D694
804AA44A2C680E117D8916C21CD80003F8D5C8EA
E6CD197FD725D48F0102373FF0BDD386FA58A256
A0727387F818367F884D6C27D04FA89320C57D04
32509BA29DB2B8F134496FC63686781CAB640B6C
9C2267B7EE37949D4591DC1D8FB7B63497072B28
80FCEB79157FC1F38F53CE5C9F2709C8D3A6F884
7BD81B7C7ED4F6B1751BB16E6CE7156ED68BAA54
7C9FD4BE5504039B2359FC7CB1FB5662C2E52088
B04F91544235220403847C1FCFA1BEB0EEFB603D
E9640CAAE3D4F0EF06CC0DE73F153C3FE608DC28
02D6B23014EAD482597D31C25636EE0FFDDAAA43
B79916CB44BE7E1312D84126CB4F03781B038D10
C3798D7344689F2A075FB21B2829E26FE3EB5350
29606209C11FC341D660FF0698E3C1EA838C5FA6
4CD994E5ACA063B130084FC3AC0EB6E12E04D83A
3B790C5F2A71F39570204F927C3603794C708059
D1E9ADB2C6AA77061EBFDDFA86D861890833622C
4F1642CA5D32F58D66363D4A38C21195F38B201D
48B614D0C91294F2554E99C368FB56AC84529405
4B07E1D8E6C94A6D83828DE6198E87F4FF02AAB0
6F652561B791D55896E9D42320B92207DC4239E6
BB5116B02BB363E61E47EC6331F9E5E8894D8427
F52C7094B874CCC4FE322596B16FD817D4C0F5FB
87EA5D1C293FFC46B904EF39B956330AD5E6C77C
3EBF1768E6B6C05C26FD1718D623295FBBD530D2
B0F11C2D9F5A44F973E83787FA984153A6223CB3
73B60468624FF3A6EFFBC1158C03F6496015D4B8
7D9CFA33481247D1F45454A36B8ED676BE37A3D1
F0C855F2F4511882FD1DE69B38184B8D81AF1418
63ABCD340F23609D46F2EFB55FED8A0A2DD7642C
09AC8592E6532960ADA3E924B289524EFE00784B
D1540D64F1CDB3E72A906FA7BE5E1D1C0578AE7F
69EC58ED8203247B0E3917AF19E70225CFB1A42E
98C38D119B0FA9F76629754BD6B3BC31D3C297B1

Image credits: Lukas Stefanko, Bleeping Computer