WebDiscover Browser is an adware threat developed by a Canada-based company named WebDiscover Media. Once installed on a PC, the malicious app makes a series of unwanted changes to all browsers installed on the computer, leading to a deteriorating online surfing experience. WebDiscover replaces the default home pages and search engines of affected Internet browsers with its own WebDiscover Homepage and WebDiscover Search, respectively. Furthermore, the malicious app modifies the “new tab” settings so that the corrupted browsers launch the malware's own search portal page when the user opens a new tab. Chrome users may not even recognize WebDiscover as an unwanted program and think they...

Getting an OS system error message while working on a project can be quite an unpleasant surprise. Whether relating to MS Windows, or Mac OS, such a bug is always bound to disrupt your normal computer work. While some errors tend to be system-specific, others can affect both Windows and Mac-based systems, albeit designating totally different problems. The so-called Code 43 error message, for example, is primarily associated with device driver problems in Windows PCs, on the one hand, and file transfer issues on Mac machines, on the other. If you are using Windows and looking for a way to fix this specific error, click here for a guide with possible solutions. If you are a Mac user,...

At first glance, the Newsbreak.com website appears to be a useful tool that would provide its visitors with the latest news. However, this is one of the countless bogus websites online that do not provide any content of value, and instead, seek to benefit from their visitors using various shady tricks. Spams Users with a Constant Flow of Advertisements Upon visiting the Newsbreak.com page, users will be asked to permit the site to display Web browser notifications. Keeping in mind that this fake page poses as a legitimate news website, many users may be tricked to allow browser notifications thinking that they will be alerted for the latest breaking news. However, this is not the case,...

The APT (Advanced Persistent Threat) group was spotted sending out spear-phishing emails that allegedly have detailed information about COVID-19, a.k.a. Coronavirus, but instead, they infect the victims with a custom remote access Trojan (RAT). The group is using the coronavirus pandemic to infect unsuspecting victims with a previously unseen malware. The malware is dubbed 'Vicious Panda' by researchers, with the attackers using it in a campaign at the moment. Researchers managed to find two Rich Text Format (RTF) files that were targeting the Mongolian public sector during the outbreak. Once the files are open, a unique and custom-made remote access Trojan is executed. It develops a list...

.HOW Ransomware is a new file-encrypting Trojan, which appears to belong to the notorious Dharma Ransomware family. Data-lockers like the .HOW Ransomware are not built from scratch. Instead, their creators borrow the code of well-established threats like the Dharma Ransomware and create a new copy of it with a different name.  Propagation and Encryption To cause a significant amount of damage to the compromised host, the .HOW Ransomware is likely to go after a wide array of filetypes, such as .doc, .docx, .pdf, .txt, .mp3, .midi, .mid, .aac, .wav, .mov, .webm, .mp4, .db, .zip, .rar, .jpg, .jpeg, .png, .svg, .gif, .xls, .xlsx, .ppt, .pptx and others. The .HOW Ransomware uses a complex...

IT Ransomware is a brand-new data-locking Trojan that appears to be a rather basic project. This file-locker is also known as the CobraLocker Ransomware. Despite not being a very high-end threat, the IT Ransomware is fully capable of causing significant damage to its targets. Unfortunately, the IT Ransomware does not appear to be decryptable for free. Propagation and Encryption Threats like the IT Ransomware often go after a variety of filetypes that are likely to be present on the system of every regular user. This means that the IT Ransomware will not spare any images, documents, presentations, databases, spreadsheets, archives, audio files, videos and other filetypes that are common....

Over the course of the past few years, hackers and cybercrooks armed with sophisticated malware have stolen literally hundreds of millions of dollars from online banking accounts and individuals all over the world. We have said it many times before in recent articles, the days of robbing banks in person are gone and now it all takes place behind a screen of a computer connected to the Internet. The Internet can be the most useful tool in business, school or every-day life. At the same time, the Internet can make someone's life a living hell in the event that one becomes the next victim of a cybercrime. A large percentage of the world's population that uses computers over the Internet are aware of cybercrime and the consequences that they may face if they succumb to a cybercriminals' trap. Others who have no clue as to the dangers they...

Search Baron is a potentially unwanted browser hijacker masked as a search engine application. The latter supposedly aims to turn web surfing on OSX-based Mac devices into a more satisfying experience. Yet, its bad habit of landing on the device without its user's knowledge raises suspicions about its end purpose. While the tool does not necessarily fall under any severe malware category, you may bet that it would in no way improve your browsing experience, either. Instead, Search Baron's primary goal is to promote its search services, often more aggressively than usual. A Bing search engine with a Twist The Search Baron page appears to be powered by Microsoft’s popular Bing search engine. However, the search results you would get from a regular Bing search query may come with sponsored links of suspicious quality mingled in between....

Search Marquis is a Mac utility that disguises itself as a helpful tool that will enhance the browsing quality of popular browsers like Chrome and Safari. In fact, it is a malicious browser extension that aims to alter the browser's setting without the user’s knowledge and consent. The main purpose of this Potentially Unwanted Program (PUP) that sneaks stealthily into Mac computers is to generate revenues for its operators by popularizing the search engine Bing.com on Mac Safari browser. This happens through a number of intermediate redirects through various dubious domains. Once installed on a Mac computer, this browser hijacking tool starts to modify crucial changes on the user's...

Gamblingday.xyz is a mostly empty website but don't let that fool you - the sole reason for its existence is to propagate a browser-based tactic. There are myriads of websites nearly identical to Gamblingday.xyz and more are created every day. Their only objective is to trick users into subscribing to their push notification by employing various deceitful social-engineering tactics. The crux of the tactic is to convince the unsuspecting users to click the 'Allow' button. By doing so, they will be giving the fraudulent websites the needed permissions to start delivering unsolicited ads directly to the device's screen. The most popular tactic by far is for misleading websites to pretend that they are performing a bot captcha check. Gamblingday.xyz relies on a different technique, instead opting to take advantage of the user's curiosity....

Search-queen.com is a fake search engine that has been promoted by either adware or browser-hijacker applications. The main goal is to drive artificial traffic towards the address and possibly generate monetary gains through sponsored advertisements. Search-queen.com can affect all of the most popular browsers - Google Chrome, Safari, MS Edge and Mozilla Firefox. If users start noticing an unusual amount of redirects to search-queen.com from their default browser, their computers might have been infiltrated. If the culprit is a browser hijacker, it will have set the homepage, new page tab, and the default search engine to open search-queen.com. Consequently, even opening the affected browser will be generating traffic for the promoted address. Fake search engines cannot produce any search results by themselves, as they simply lack the...

The Easy2Lock Ransowmare operates as a typical crypto locker threat. It attempts to infiltrate the targeted computer undetected and then proceeds to encrypt most of the files stored on it. Users will be 'locked' from accessing their personal or business-related data effectively, which in some cases may have dire consequences. The criminals behind the Easy2Lock Ransowmare then extort money from their victims in exchange for the possible restoration of the encrypted files. Every locked file will have its name changed to include '.easy2lock' as a new extension. Unlike most other ransomware threats that simply leave their ransom notes as a .txt or .hta file in all folders containing encrypted data, the Easy2Lock Ransowmare creates a separate text file for every single encrypted file. The names of the files carrying the ransom note are...

The MessedUP Ransomware is a new variant based on the Phobos Ransomware family detected in the wild. The threat itself doesn't display any major deviation from the typical behavior of the Phobos Ransomware variants, apart from the fact that the hackers behind it have decided to forego the usual email communication channel apparently, and have instead opted to use the ICQ application. As for the encrypted files, their original filenames will be modified to include a string of characters representing the victim's unique ID, followed by the ICQ account address of the criminals, and finally, '.messedup' as a new extension. The ransom note of the threat is delivered in two different forms. First, as a text file named 'info.txt' and as an HTML file called 'info.hta' used for the generation of a pop-up window on the screen of the compromised...

IXWare is a malware threat offered as Malware-as-a-Service (MaaS) designed to collect account credentials from Windows systems. More specifically, however, IXWare seems to be geared towards attacking the Roblox video game due to having multiple techniques for collecting Roblox account details. The malware is being advertised on a Roblox hacking forum that specializes in reselling accounts with two price tiers available - 10 euro for a month or 25 euros for three months of service. The hackers advertise their malware as having an impressive list of features. However, as the infosec researchers who analyzed the threat soon discovered, some features are either non-functional or simply don't exist. Another fact that became clear from the analysis is that the creators of IXWare are not sophisticated software developers. Many of the...

Researchers at IBM have uncovered a new malware strain that attempts to collect banking credentials through remote overlay attacks. The name given to this new threat is Vizom, and, at least for now, its main targets are users located in Brazil. The propagation method of Vizom is through the familiar tactic of sending phishing emails carrying malware-laced attachments. To raise as little suspicion as possible, the hackers behind the campaign disguise their malware creation as popular videoconferencing tools. Such applications have become a necessity in the aftermath of the COVID-19 pandemic, with many non-tech-savvy users having to learn to work with these applications quickly. Once the unsuspecting victim executes the poisoned email attachments, it drops a mixture of legitimate and corrupted files. The infection chain begins from the...

Diokle.prо is a rogue website that uses popular tricks to deceive users into registering for spammed browser notifications. Among the misleading text messages that this website presents to its visitors are such that ask them to click on the 'Allow' button for some event to take places, like 'connect to the Internet,' 'enable Flash Player,' 'Open the website,' 'play a video,' 'download a file' and so on. However, pressing the 'Allow' button means that Diokle.prо can start sending a huge amount of spam messages to the user's computer directly. The pop-up advertisements will show up even if no browser is launched, while their amount can be so overwhelming that it can even interfere with the affected device's regular performance. Deleting Diokle .prо's permission to send advertisements can be done manually. However, the bigger problem is...

Revoluciondron.com is a browser-based tactic that uses a website with the same URL to conduct its fraudulent activities. Such websites' primary goal is to be part of a promotional scheme for questionable and potentially compromised online pages and services, like online games, pornographic websites, fake offers and surveys, potentially unwanted tools, and many other useless programs and applications. People do not land on Revoluciondron.com on their own; they usually get redirected to this page by an infected online advertisement or an unsafe program installed on their computers. The website displays a fake error message to its visitors that has the following text: "Revoluciondron.com wants to Show notifications Click Allow to continue" Clicking on the 'Allow' button means that the user accepts the browser notifications from...

Houstontexansteamstore.com is an unsafe website with no meaningful content. Its only goal is to trick users into subscribing to push notifications. When opened, the page displays a fake error message that informs the visitors that they need to click on the 'Allow' button within the text for the website to load. This is a common trick that often works: inexperienced users click on the button, and as a result, they give this blank page permission to deliver advertising pop-ups straight to their computers. This browser notifications permission allows Houstontexansteamstore.com to displays advertisements on the user's screen, on top of any other content, even when no browser is launched. The problem is that messages generated by such untrusty pages usually contain scripts that redirect the user to potentially corrupted resources on the...

So far, the Encrp Ransomware has not been classified as belonging to any of the existing ransomware families, which means that it can be considered as a unique crypto locker threat. That doesn't mean that it deviates from what is considered the norm for these malware types necessarily. The Encrp Ransomware still aims to infiltrate the targeted computer where it performs an encryption process on nearly all of the stored files sneakily. Affected users are then extorted by the hackers for the potential restoration of the locked data. Every file encrypted by the Encrp Ransomware will have '.encrp' appended as a new extension to its original name. The note with instruction from the criminals is delivered as a text file named '__READ_ME_TO_RECOVER_YOUR_FILES.txt.' A copy of the note will be dropped in every folder that has encrypted files....

The Efji Ransomware is a new crypto locker threat that is a variant belonging to the Stop/Djvu Ransomware family. As such, it displays minimal variance when compared to the rest of the members of the infamous Stop/Djvu Ransomware family. The Efji Ransomware attempts to infiltrate the targeted computer without being detected and then proceeds to encrypt the files stored on it. The result is that the users will be 'locked' from accessing their private or business-related files. Upon encryption, every file will have '.efji' added as a new extension to the original filename. The customary ransom note with instructions from the cybercriminals is dropped as a text file named '_readme.txt.' Victims of the Efji Ransomware are told that they will have to pay $980 to the hackers in exchange for the restoration of the files. If communication is...

The FakeMBAM Backdoor is a Remote Access Threat propagated through the automatic updates of a torrent client (Download Studio) and three adblocker programs - NetShield Kit, My AdBlock, and Net AdBlock. Download Studio is a free torrent client that is popular in Russia and Ukraine mostly. As a result, most of the users affected by the FakeMBAM Backdoor are from these two countries as well. There is no concrete explanation about why the torrent client and the advertising block programs began delivering a backdoor threat through its automatic updates suddenly. Infosec researchers, however, found some disturbing aspects like code similarities between all four programs. There also is the fact that the websites for the three ad blockers are hosted from the same IP address, apparently. The FakeMBAM Backdoor itself is hidden inside an...

While the MaMoCrypt Ransomware shows little deviation from what is considered the typical behavior for such a threat at the surface, taking a closer look at the underlying code reveals some rather peculiar details. The MaMoCrypt Ransomware is a crypto locker threat based on the MZRevenge Ransomware. It is packed using 'mpress.' Once inside the targeted computer, the MaMoCrypt Ransomware will proceed to delete the Shadow Volume Copies created by the default Windows backup service. The threat also will disable both the default firewall and the User Account Control facility. The real unique features, however, begin with the start of the encryption process. The MaMoCrypt Ransomware goes after files located in a list of 23 hardcoded locations. They include most of the folders in 'C:\Users\%user%' path, DRIVES A-Z, WITHOUT C, the Steam...

DeathStalker is the name given to an Advanced Persistent Threat (APT) group of hackers that the researchers believe to be operating as mercenaries or offering hack-for-hire services. The basis for this analysis is the particular characteristics displayed in operations attributed to the group. Unlike what is considered the typical cybercriminal behavior, DeathStalker does not infect their victims with ransomware and does not collect banking or credit/debit card credentials, clear signs that the hackers are not seeking financial gain from their victims. Instead, DeathStalker appears to have specialized in the exfiltration of data from a very narrow array of victims. Apart from some singular exceptions, such as attacking a diplomatic entity, the group has gone after private companies operating in the financial sector, such as consultancy...

RAINBOWMIX is the researchers' name to a group of 240 Android applications designed to deliver out-of-context OOC advertisements to unsuspecting users. Before Google stepped up and took action, the entire group of threatening applications was available for download through the official Google Play store. According to the researchers, the applications had amassed over 14 million installations and generated over 15 million daily impressions collectively. Most advertising traffic came from Brazil - 21%, with Indonesia and Vietnam following closely behind. Around 7.7% of the traffic was determined to be from the U.S. To lure users, most of the applications offered emulation for retro games such as the ones available on the Nintendo NES systems. For the most part, this functionality was intact, and RAINBOWMIX did indeed deliver on its...