WebDiscover Browser is an adware threat developed by a Canada-based company named WebDiscover Media. Once installed on a PC, the malicious app makes a series of unwanted changes to all browsers installed on the computer, leading to a deteriorating online surfing experience. WebDiscover replaces the default home pages and search engines of affected Internet browsers with its own WebDiscover Homepage and WebDiscover Search, respectively. Furthermore, the malicious app modifies the “new tab” settings so that the corrupted browsers launch the malware's own search portal page when the user opens a new tab. Chrome users may not even recognize WebDiscover as an unwanted program and think they...

PC security researchers received reports of ransomware attacks involving a threat known as the STOP Ransomware on February 21, 2018. The STOP Ransomware is based on an open source ransomware platform and carries out a typical version of an encryption ransomware attack. The STOP Ransomware is distributed using spam email messages containing corrupted file attachments. These file attachments take the form of DOCX files with embedded macro scripts that download and install the STOP Ransomware onto the victim's computer. Learning how to recognize phishing emails and avoiding to download any unsolicited file attachments received is one of the ways to avoid these attacks. How to Recognize a...

Getting an OS system error message while working on a project can be quite an unpleasant surprise. Whether relating to MS Windows, or Mac OS, such a bug is always bound to disrupt your normal computer work. While some errors tend to be system-specific, others can affect both Windows and Mac-based systems, albeit designating totally different problems. The so-called Code 43 error message, for example, is primarily associated with device driver problems in Windows PCs, on the one hand, and file transfer issues on Mac machines, on the other. If you are using Windows and looking for a way to fix this specific error, click here for a guide with possible solutions. If you are a Mac user,...

At first glance, the Newsbreak.com website appears to be a useful tool that would provide its visitors with the latest news. However, this is one of the countless bogus websites online that do not provide any content of value, and instead, seek to benefit from their visitors using various shady tricks. Spams Users with a Constant Flow of Advertisements Upon visiting the Newsbreak.com page, users will be asked to permit the site to display Web browser notifications. Keeping in mind that this fake page poses as a legitimate news website, many users may be tricked to allow browser notifications thinking that they will be alerted for the latest breaking news. However, this is not the case,...

The APT (Advanced Persistent Threat) group was spotted sending out spear-phishing emails that allegedly have detailed information about COVID-19, a.k.a. Coronavirus, but instead, they infect the victims with a custom remote access Trojan (RAT). The group is using the coronavirus pandemic to infect unsuspecting victims with a previously unseen malware. The malware is dubbed 'Vicious Panda' by researchers, with the attackers using it in a campaign at the moment. Researchers managed to find two Rich Text Format (RTF) files that were targeting the Mongolian public sector during the outbreak. Once the files are open, a unique and custom-made remote access Trojan is executed. It develops a list...

.HOW Ransomware is a new file-encrypting Trojan, which appears to belong to the notorious Dharma Ransomware family. Data-lockers like the .HOW Ransomware are not built from scratch. Instead, their creators borrow the code of well-established threats like the Dharma Ransomware and create a new copy of it with a different name.  Propagation and Encryption To cause a significant amount of damage to the compromised host, the .HOW Ransomware is likely to go after a wide array of filetypes, such as .doc, .docx, .pdf, .txt, .mp3, .midi, .mid, .aac, .wav, .mov, .webm, .mp4, .db, .zip, .rar, .jpg, .jpeg, .png, .svg, .gif, .xls, .xlsx, .ppt, .pptx and others. The .HOW Ransomware uses a complex...

Over the course of the past few years, hackers and cybercrooks armed with sophisticated malware have stolen literally hundreds of millions of dollars from online banking accounts and individuals all over the world. We have said it many times before in recent articles, the days of robbing banks in person are gone and now it all takes place behind a screen of a computer connected to the Internet. The Internet can be the most useful tool in business, school or every-day life. At the same time, the Internet can make someone's life a living hell in the event that one becomes the next victim of a cybercrime. A large percentage of the world's population that uses computers over the Internet are aware of cybercrime and the consequences that they may face if they succumb to a cybercriminals' trap. Others who have no clue as to the dangers they...

Search Marquis is a browser component that may disguise itself as a helpful tool that will enhance the browsing quality of popular browsers like Chrome and Safari. In fact, it is a shady browser extension that aims to alter the browser's setting without the user’s knowledge and consent. The main purpose of this Potentially Unwanted Program (PUP) is to sneak stealthily into Mac computers and generate revenue for its operators. This happens through a number of intermediate redirects through various dubious domains before displaying Bing.com results. This Week In Malware Episode 36 Part 2: Why Your Web Browser is Redirecting to Search Marquis & and How to Stop It! Once installed on a Mac...

The 'Advance Payment Received' email virus represents a spam email campaign distributing a malware threat. The emails are crafted to appear as if a user's deposit payment has been accepted or pre-processed. The attached file supposedly contains the order details. To give themselves a bit more legitimacy, the emails end with contact details for Cox Enterprises, Inc., a global conglomerate operating in the automotive service, communication, and media industries. This is all fake, though, and Cox Enterprises, Inc is in no way connected to the dissemination of these corrupted emails. Indeed, no part of the information inside the emails is real. They are simply acting as a lure to get the targeted users to open the attached file - 'dep_det_3444608.docm,' resulting in the malware inside it being executed. The malware delivered through the...

The advent of mobile technology and mobile phones' emergence has turned these devices into an inseparable and essential part of our daily lives. Indeed, the use of mobile phones has permeated every sector of our society - from our private moments inside our homes to the dynamic workflow of business life. However, having to juggle between an ever-increasing number of different gadgets means that there are now more opportunities for problems to start cropping up. So what to do if you, for example, want to create a backup of your phone to your computer system but the devices keep disconnecting constantly? The first step towards addressing the issue is to check the condition of the cable connecting the phone and the computer. Phone cables are being used almost constantly, resulting in a faster wear-and-tear. Inspect the cable for any...

Sterthreat.top is a deceptive website that tries to trick anyone who lands on it into subscribing to its push notification services. The website itself is virtually identical to the countless other websites that are also perpetuating this Web browser tactic. More and more such websites are emerging every single day, and the trend appears not to be slowing down. The main scenario run in this tactic, and the one employed by Sterthreat.top, is to pretend to conduct a captcha check for bots. Prominently displayed across the webpage is a message similar to: 'Click ALLOW to confirm that you are not a robot!' In addition, several fake alerts or error messages also can be generated. One such example is - 'Sterthreat.top says: CLICK ALLOW TO CLOSE THIS PAGE.' Users who fall for the trap will be subjected to a stream of unwanted advertisements....

Luckhours.com is a mostly empty website dedicated to the propagation of a popular browser tactic. It tries to trick visitors into subscribing to its push notification services by employing various manipulative and deceptive social engineering tactics. In practice, this is achieved by baiting users into clicking the 'Allow' button. Several fake alerts or error messages are usually displayed, each asking users to click the button. Doing so will grant Luckhours.com the browser permissions it requires to start executing its main function - the delivery of unwanted and intrusive advertisements to the affected device. One tactic that has been used by Luckhours.com is to display a video window with a buffering icon in the middle. The site displays the message - 'Click Allow to continue' prominently. While it is questionable if a video would...

The EnCrypt13d Ransomware is a newly detected threat that has been unleashed in the wild The EnCrypt13d Ransomware is capable of locking users out from accessing a wide range of filetypes completely, including the most popular personal or work-related files such as PDFs, archives, images, video, and audio files, MS Office documents, OpenOffice documents, databases, etc. Analysis of the EnCrypt13d Ransomware revealed that the threat belongs to the Xorist Ransomware family. The fact that the threat is not unique doesn't diminish its destructive capabilities in the slightest. When the EnCryp13d Ransomware initiates its encryption routine, it will modify all affected files' original names by appending '.EnCryp13d' as a new extension. The threat also will deliver a ransom note with instructions for its victims. The note will be displayed in...

Infosec researchers have been able to identify a malvertising campaign that encompasses several different mobile environments and platforms. Called LuckyBoy, the threatening operation targets Android, iOS, and Xbox users, or in other words, products belonging to the Google, Apple, and Microsoft ecosystems, respectively. The malware shows a high degree of sophistication and is equipped with various obfuscation and anti-detection capabilities. A global variable 'luckyboy' is used by the threat in continuous checks that allow it to determine whether it is operating inside a testing environment or if there are any blockers or active debuggers present on the targeted device. Should any be detected, the malware threat stops its execution. Once fully deployed, the LuckyBoy Malware establishes a tracking pixel that is capable of redirecting...

A new crypto-mining malware strain has been leveraged against NAS (Network-attached storage) devices belonging to the Taiwanese hardware vendor QNAP. Details about the operations were unveiled by the company itself in a security advisory. QNAP first became aware of the threatening campaign after customers discovered two suspicious processes named 'dovecot' and 'dedpma.' The processes were taking up a significant portion of the available resources and were constantly running in the background. After conducting an investigation into the issue, QNAP discovered the new malware strain and named it Dovecat. The Dovecat Malware appears to be designed to target QNAP's devices specifically. One example is the attempt to disguise one of the malware's processes by using a name similar to Dovecot, a legitimate email daemon distributed alongside...

WizardUpdate is an application that combines the capabilities of a browser hijacker and adware. The application's goal is to sneak itself onto the user's computer, in most cases through deceptive or manipulative distribution tactics, take over the Web browser, and then promote a sponsored link while also causing unwanted redirects leading to third-party advertisements. The browser hijacker functionality of WizardUpdate includes the application taking over specific Web browser settings - the homepage, new page tab and the default search engine. The address promoted by the application is WizardUpdate Search, and as is to be expected, it is nothing more than a fake search engine. By itself, it cannot deliver any search result at all as it simply lacks that functionality. Instead, every search query conducted in the affected browser will...

The 'Stopped Processing Incoming Emails' scam is a harmful campaign aiming to collect users' credentials. The perpetrators disseminate thousands of misleading and manipulative emails to unsuspecting users in an attempt to get them to visit a phishing website. This tactic's scenario is to pretend that the user's email has been suspended and access to it has been limited. As a result, the email can supposedly no longer process incoming emails. To remedy the situation, users are instructed to follow a link found inside the misleading email where they are asked to update their account by providing the required credentials. The phishing website then harvests all of the information needed and makes it available to the fraudsters. It must be noted that nothing said inside these emails is true and shouldn't be taken with any amount of...

Search.onlinebars.xyz is a browser hijacker application designed to promote a sponsored address by generating artificial traffic towards it. Search.onlinebars.xyz operates in the typical way associated with PUPs (Potentially Unwanted Programs) by sneaking onto the user's computer, usually without the person noticing, and then taking over certain Web browser settings. In this case, the homepage, new page tab, and the default search engine will be set to open search.onlinebars.xyz. Whenever the user opens the affected browser, starts a new tab, or conducts a search query, it would result in traffic towards the promoted address immediately. Furthermore, the search engines associated with browser hijackers are almost always classified as fake as they cannot produce search results by themselves. Instead, they redirect all searches through a...

The DEcovid19bot Ransomware is a file-locking Trojan that can block media like documents with its encryption. Depending on the variant, it may insert one of two extensions in their names and drop one of two ransom notes that sell the attacker's unlocking help to victims. Victims should protect their work with proper backups and their PCs with anti-malware products that should remove the DEcovid19bot Ransomware automatically. The Plague's Next Wave Crashes against Computer Data The Coronavirus or COVID-19 epidemic is an event that even hackers notice, as readers can see with the different Trojans' campaigns. Still-recent cases include the boot-locking Covid-20 Ransomware, the data-locking CoronaCrypt Ransomware and others. The new the DEcovid19bot Ransomware is another point in favor of the theme as part of the payloads of...

The Solaso Ransomware is a file-locking Trojan that may be a variation of the Encrp Ransomware. The Solaso Ransomware attacks are almost identical to those of the previous Trojan, including blocking the user's media files by turning them into encrypted versions. Users should withhold ransoms whenever possible and let professional cyber-security programs safely remove the Solaso Ransomware from compromised systems. Words from Last Year in a 'New' Trojan's Mouth In the second half of 2020, a particularly-unassuming Windows threat became part of threat databases, alongside the usual Ransomware-as-a-Services, spin-offs of 'free' code projects, and the like. Malware researchers gave the Encrp Ransomware an initial analysis, noted its efficacy for blocking files and moved on to more complex threats. In the new year, it's coming back, either...

When a disk drive does not read, users may find themselves shut off, not just from media like movies, but crucial recovery tools like mandatory drivers, operating system installers and system recovery resources. Experts always recommend that users troubleshoot and repair functionality for non-working disk drives reasonably promptly. However, most non-reading disk drive causes aren't severe security problems, and users can deal with the majority by following some standardized recovery steps. Before jumping to conclusions, users should check the supported formats for their disk drive. CD-RW (CDs that the user can rewrite), CD-R, DVD, and Blu-ray are specific formats with individualized requirements – even though the disks look identical. An incompatible disk will not read in the 'wrong' drive, regardless of other factors. However,...

Lyminuscrib.top is a potentially fraudulent online tactic through which cybercriminals trick users into subscribing to browser notifications from an empty website. In this case, the malware developers' primary goal is to advertise untrusty websites and products by delivering aggressive pop-up messages to users' computers directly. Lyminuscrib. top's page has no content but is only used as an instrument to receive users' permission to send them notifications, which is achieved through a common clickbait trick. A message disguised as a CAPTCHA-verification test asks visitors to click on an 'Allow' button and confirm they are not robots. Yet, by following these instructions, the users agree to receive browser notifications from this dubious website. Content generated by Lyminuscrib.top may include fake warnings, offers, security alerts or...

Dayznews.biz is a browser-based tactic that promotes untrusty websites and services on the Internet. Pages typically advertised by Dayznews.biz concerns online gambling, adult content, fake/cracked software, and Potentially Unwanted Applications (PUAs), which are all resources that can spread various harmful malware threats. To display its questionable banners and advertisements on users' computers, Dayznews.biz uses a popular social engineering tactic. However, people visiting the website see no meaningful content; the website pretends that there is some file ready for download: 'Dayznews.biz wants to Show notifications Your file is ready to download' Clicking on the 'Download' button permits Dayznews.biz to deliver browser notifications to the user's computer or mobile phone directly, allowing thus this fraudulent page to run its...