GandCrab ransomware is a malware threat that encrypts data on affected computers and demands the payment of ransom in exchange for a decryption tool. That cryptovirus appeared for the first time at the end of January this year, and since then researchers have identified several different versions of GandCrab, among which GDCB, GandCrab v2, GandCrab v3, GandCrab v4, and GandCrab v5. The latest version was identified just about a month ago in September 2018. The features and encryption mechanisms of this ransomware have evolved since its first appearance - while the initial three versions have used RSA and AES encryption algorithms to lock up data on the infected device, version 4 and above employ additional and more sophisticated cipher like Salsa20. Malware researchers believe that this is done mostly for speed reasons as the Salsa20...

The RobinHood Ransomware (RobbinHood Ransomware or RobbinHood File Extension Ransomware) is a ransomware Trojan that is used to harass computer users under the pretext of raising awareness and funds for the people of Yemen. In fact, there is no evidence to support the theory that the creators of the RobinHood Ransomware have altruistic motives. It is likelier that the con artists are using the RobinHood Ransomware to profit in the same way that the creators of most encryption ransomware Trojans act today. However, the ransom demand in the case of the RobinHood Ransomware is extremely elevated, making it very unlikely that any individual PC users will pay the RobinHood Ransomware ransom in case of an attack. Take preventive measures against ransomware Trojans like the RobinHood Ransomware, which are becoming common increasingly. Yemen...

The WanaCrypt0r Ransomware is an encryption Trojan that features a worm-like attack tactic. The WanaCrypt0r Ransomware is recognized as one of the most threatening and widespread encryption Trojans up until May 12th, 2017. The WanaCrypt0r Ransomware managed to compromise more than hundreds of thousand systems across one hundred and forty countries on its first release to the real world. The brunt of the attack was taken by PC users in Russia and the National Healthcare System in Great Britain. The Trojan managed to block access to most of the computers connected to the National Healthcare System and nearly 70% of the cases that involve the WanaCrypt0r Ransomware are recorded in Russia....

The Krampus-3PC is a threat that targets Apple mobile devices exclusively. The authors of the Krampus-3PCmalware have made sure that their threat runs several checks to determine whether the device was made by Apple or not. All users who were not operating an Apple device were spared. Another interesting trait of the Krampus-3PC malware is that it operates online entirely. This allows the threat to carry out its campaigns very silently, as no traces of unsafe activity would be left on the affected device. Propagation Method The Krampus-3PC threat appears to be distributed with the help of malvertising campaigns. Oddly enough, instead of using shady promotional networks to carry out this operation, the creators of the Krampus-3PC have taken advantage of legitimate advertising companies. The attackers have used a rather cunning technique...

Nowadays, with the ever-growing number of smartphones globally, there are malware types targeting mobile devices. Among them is a threat that is often referred to as click fraud. Usually, click fraud involves a shady administrator of a website with advertisements paying low-wage workers or using bots to click on the advertisements present on their site to generate more revenue from the parties advertising on their platform. However, click fraud also can take other forms, such as boosting the stats of mobile applications. This is the case of the Guerilla threat - an Android Trojan whose goal is to hijack mobile devices and use them to pump the statistics of various applications hosted on the Google Play Store artificially. Propagation Method The creators of the Guerilla Trojan had been distributing this threat via bogus applications...

A growing number of cyber crooks are taking an interest in developing malware targeting systems running the OSX. However, there also are other shady individuals that target Mac users. Unlike full-blown cybercriminals, these dubious actors do not take part in creating malware, but instead, they release low-quality applications and extensions that exaggerate their capabilities and mislead users purposefully. An effective example of this would be the SearchAdditionally application. This application is compatible with devices running the OSX only. Pushes Shady Advertisements and Collects Browsing Data The authors of the SearchAdditionally application claim that their creation will enhance the user’s search results greatly by delivering more relevant results. However, this is not the case, certainly. Users who download and install the...

Online schemes have existed since the dawn of the Internet. Among the countless tricks used by online conmen are fake technical support tactics. Often, these tactics would involve a bogus website that has been designed to display fraudulent alerts as soon as a user visits them. These alerts tend to claim that the user’s system has been compromised with a threat or a system error has occurred. This is a social engineering trick designed to pressure users into taking actions that they normally would not take. One of these tactics presents users with a ‘Stop code: CRITICAL_PROCESS_DIED’ message. Next, the user is advised to get in touch with ‘Microsoft Support’ immediately to solve the problem. However, the intimidating alert is not legitimate, and the phone number that the user is provided with is no way affiliated with the Microsoft...

The Hoardy backdoor Trojan is a threat that has been employed in several attacks targeting high-profile individuals. This Trojan is the creation of a hacking group called the Flea group, and its most infamous campaign took place right before the G20 summit in 2014 and targeted high-ranking politicians. The Hoardy backdoor Trojan has since been utilized in several other shady operations. Usually, hacking campaigns that employ the Hoardy backdoor do not last very long, which has led experts to believe that the goal of the attackers is likely to grab as much information as they can quickly and cease the operation to remain under the radar of the victim. Propagation Method To propagate the Hoardy backdoor Trojan, the Flea hacking group is using phishing emails that they have tailored to look as legitimate as possible. The target would...

Infostealers are among the favorite hacking tools of cybercriminals around the world. This is because this malware type is usually very small in terms of size, which allows it to carry out silent operations that can be highly successful potentially. Infostealers may allow their operators to collect information from messaging applications, email clients, Web pages, etc. Normally, infostealers connect to their creators’ C&C (Command & Control) server and siphon all the collected data to straight to the attackers. The Khalesi malware belongs to the infostealer class, and it appears to be active in the wild. Propagation And Persistence The Khalesi infostealer is likely being propagated via several means of distribution such as malvertising campaigns, bogus application downloads, mass spam email campaigns, pirated media, and software, etc....

There are numerous Web browser extensions that claim to perform all sorts of useful tasks, but a significant number of them are not at all what they claim to be. TheEasyWayPro is an excellent example of this. This Web browser extension states that it will provide users with helpful directions and handy maps. The developers of this extension are likely targeting users who go hiking frequently or enjoy traveling often. However, the TheEasyWayPro extension is not offering anything unique to its users. Instead, this extension utilizes already existing free services such as Google Maps. This means that there’s no need to install the TheEasyWayPro to use the services that it offers as they are already free and available publicly. Alters Users’ Default Search Engine Users who choose to add the TheEasyWayPro to their Web browser may experience...

The Startrafficc.com site is a dodgy Web page that uses shady tactics to trick users into executing actions that they would not otherwise perform. In other words, the administrators of the Startrafficc.com utilize various social engineering to achieve their goals. Sometimes, administrators of shady websites use their platform to propagate threatening malware that has the potential to harm users’ systems seriously. However, the operators of the Startrafficc.com site do not take this outright unsafe strategy. Instead, they use their website to spam users with unwanted advertisements. Social Engineering Tricks The operators of the Startrafficc.com page claim that users need to click on the ‘Allow’ button that they are presented with if they want to see the content hosted on their websites. If the users fall for this and click on the...

Code Red (CodeRed) is a computer worm that affected MS ISS web servers back in the early 2000s. At the peak of its popularity, it affected nearly half a million host systems. Code Red uses a simple but effective vulnerability of older ISS web servers. the worm causes a buffer overflow by using a particularly long string of symbols, the netter N in this case, to overflow the software buffer. This, in turn, allows the malware to execute the arbitrary code it needs and spread further, while defacing the host in the process. Servers who were infected by the Code Red worm had their pages replaced with the following text: HELLO! Welcome to http://www dot worm dot com! Hacked By Chinese! The worm was also set up in a way which allowed it to perform different tasks depending on the day of the month, obtained from the victim's system clock. On...

The Windows Defender Antivirus uses the Mislead-ing:Win32/Lod!MSR detection name to signal a potential threat that may be present on the user's system. It is of key importance that the detection of the threat is not based upon a key piece of software or file per se but is instead applying heuristic methods to identify a potential unsafe activity. Every legitimate anti-malware application utilizes such techniques when looking for and identifying potential malware that may be present on the user's computer. However, even if the said anti-virus tool pre-sents you with the Misleading:Win32/Lod!MSR detection alert that does not mean that there is an unsafe activity taking place on your system necessarily. Sometimes, harmless files downloaded from trustworthy sources may trigger a false positive and spawn the Mislead-ing:Win32/Lod!MSR alert....

Cyber crooks take an increasing interest in creating threats targeting devices running OSX. One of the newest threats of this type that cybersecurity experts have spot-ted is called AppleJeus. The AppleJeus threat is a Trojan backdoor with several intriguing features. The authors of the AppleJeus Trojan are propagating it using a bogus digital asset currency exchanges. Any user that would like to use the service is urged to download a digital asset trading platform. However, as soon as the users down-load and install the file, the AppleJeus Trojan backdoor will be planted on their systems silently. Apart from the variant of this threat that targets Mac computers, the au-thors also have developed a copy that goes after Win-dows systems too. The Windows variant of this threat does not possess any qualities that are too impressive, but...

The Lazarus Ransomware is a new file-locking Trojan that has been spotted in the wild by experts. Just like most malware of this type, the Lazarus Ransomware will com-promise your computer, lock your files sneakily, and then demand money in exchange for a decryption key that is meant to inverse the damage that was done to your data. Propagation and Encryption It is not clear what infection vectors have been used in the propagation of the Lazarus Ransomware or if certain re-gions or demographics are being targeted by the authors of this threat. The creators of the Lazarus Ransomware are likely using fake emails to distribute this data-locking Trojan. Such spam email campaigns would often include a misleading, fraudulent message and a seemingly harm-less attached file, which is actually macro-laced. Opening the macro-laced attachment may...

One of the most favored tricks in the book of cybercrime is imitating a legitimate service or product to trick unsus-pecting users. The authors of the Microsoft-one.com have done this exactly - they have tailored their Web page to resemble a genuine Microsoft website so that users will not question its legitimacy and trust it blindly. Spawns Fake Alerts If you have come across the Microsoft-one.com website, you have likely been browsing low-quality content. Usual-ly, dodgy Web pages work with shady advertising net-works that push all dubious content, and it is likely that they also are involved in the promoting of the Microsoft-one.com website. Upon launching the main page of the Microsoft-one.com site, users will be redirected to the of-ficial Web page of Microsoft. This trick is likely meant to convince users of the legitimacy of the...

Many shady online actors create websites for the sole purpose of spamming users with unwanted advertise-ments via the browser’s notifications feature. One of the websites that partake in this behavior is the Rex-news1.club page. Spams Users with Unwanted Dodgy Advertisements The main goal of the administrators of the Rex-news1.club site is to trick the user into giving them per-mission to display Web browser notifications. The crea-tors of shady sites like the Rex-news1.club Web page are often utilizing various social engineering tricks to achieve their goal. The visitors of the Rex-news1.club website are misled into believing that the site hosts interesting con-tent, and if they want to view it, they have to click on the 'Allow' button that is supposed to enable a media player. However, the media player is fake, and clicking on the...

Many cyber crooks around the world rely on Trojan downloaders to infiltrate a targeted system and inject additional malware in it. To make the job of malware researchers more difficult, con actors who propagate Trojan downloaders would often obfuscate their code heavily and make their creation seem harmless. This way, the Trojan downloader may avoid detection by anti-malware tools and security checks successfully. Recently, cybersecurity experts have spotted a new Trojan downloader claiming victims online – IconDown. The IconDown downloader is believed to be the creation of a hacking group called BlackTech. Targets Businesses in Japan The BlackTech hacking group is believed to originate from Asia, as most of their targets are located in this area. Malware experts have been keeping an eye on the BlackTech group, and it became evident...