• Total Posts: 28011
  • Total Topics: 8048
  • Online Today: 715
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel  (Read 238 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 709
  • KARMA: 114
  • Gender: Male
  • Pez
‘Cat-Loving’ Mobile Ransomware Operates With Control Panel

Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider.

The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this variant the malware’s authors include a picture of a cat:

The ransomware constantly requests commands from the control server via HTTP, and the malicious server responds with the attackers’ instructions defined in the control panel. All of this traffic is transmitted without encryption.

The commands that this threat can receive and perform are described in the following table:

Command      Tag                              Description
0       Read commands                HTTP request to control server for new commands
1       Send SMS message             Send message from infected device
2       Remove all SMS               Forward and delete all SMS messages
3       Encrypt SD files             Encrypt all files on SD card and add extension .enc
4       Encrypt path in SD           Encrypt all files on SD card in a specific path with extension .enc
5       Decrypt SD files             Decrypt affected files on SD card that contain extension .enc
6       Decrypt path in SD files     Decrypt files in a specific path on SD card
7       Lock                         Lock screen
8       Exit                         Kill application and exit

Reading commands from the control server:

Some interesting features of this ransomware include the ability to encrypt specific files, steal SMS messages while forwarding them to the attacker and avoiding the victim’s message visualization, lock access to the device and the encryption using an AES algorithm with a hardcoded password. Unlike asymmetric encryption, using a hardcoded password makes decryption trivial. Moreover, the application code contains a method to decrypt the affected files; thus this ransomware app can be forced to decrypt files if one invokes the appropriate method.

Decrypting the affected files:

The malicious server control panel for the botnet allows several remote commands:
• Lock/unlock the screen (with a cat image).
• Send SMS messages to the victim.
• Encrypt/decrypt SD card memory files (with a hardcoded password).
• Silently steal SMS messages from the victim’s device.

McAfee Labs has informed the owners of the abused servers and has requested they take down the malicious service.

This ransomware variant looks like a demo version used to commercialize malware kits for cybercriminals because the control server interface is not protected and includes in the code words such as MyDificultPassw.

These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanized apps, social media networks, or other social engineering techniques.

McAfee Mobile Security detects this Android threat as Android/Ransom.ElGato and alerts mobile users if the malware is present, while protecting them from any data loss. Follow this link for more information about McAfee Mobile Security.

For help in combatting ransomware, follow this link to the site No More Ransom!

Original article: By Fernando Ruiz on Aug 08, 2016
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising