Skip to content ↓ | Skip to navigation ↓

The operators of REvil ransomware came into possession of the source code for the KPOT 2.0 information-stealing malware variant.

ZDNet reported that UNKN, a member of the REvil ransomware gang, acquired the source code for KPOT 2.0 in an auction announced by the malware’s author back in mid-October.

https://twitter.com/pancak3lullz/status/1316743641046700038?ref_src=twsrc%5Etfw

KPOT 2.0 first made news in May 2019 when Proofpoint spotted digital criminals offering this infostealer for sale for approximately $100 on underground forums.

This newer version incorporated several changes to the original KPOT iteration that digital attackers began distributing back in August 2018 using email campaigns and exploit kits.

For instance, those responsible for the malware revised KPOT’s storage structure. This changed enabled the malware to organize all of its stolen files into folders that accorded with the directory from which they were originally gathered.

The malware authors also added an ability for collecting Outlook credentials from the registry for all users.

Nearly a year later, Bleeping Computer spotted a fake website for an optimization software that capitalized on fears surrounding COVID-19 to distribute both the CoronaVirus ransomware strain as well as the KPOT information-stealing trojan.

Security researcher Pancak3 told ZDNet that the author of KPOT organized the auction on an underground web forum for Russian-speaking digital criminals after they decided to move on to other pursuits.

UNKN was the only participant in the auction. It paid the initial asking price of $6,500 after other actors on the underground forum cited the price of the opening bid as an explanation for why they declined to participate.

Pancak3 explained to ZDNet that UNKN likely acquired the source code of KPOT in order to “further develop it” and thereby add it to their expanding arsenal of tools which they could use to prey upon targeted organizations’ corporate networks.

News of this acquisition follows less than a year after REvil infected the systems of a major provider of enterprise data center services provider headquartered in Texas.