The BITTER hacking group is a crew of highly-skilled cybercriminals that are believed to originate from South East Asia. Malware researchers first spotted this APT (Advanced Persistent Threat) back in 2015, and they are still active to this day. Most of the victims of the BITTER hacking group are located either in Pakistan or in China. Often Operates in Combination with the ArtraDownloader One of the most commonly used tools by the BITTER APT is the BitterRAT. Usually, the BITTER hacking group tends to combine the BitterRAT with the ArtraDownloader. Theses two pieces of malware appear to be the most preferred tools in the hacking arsenal of the BITTER APT. The ArtraDownloader would serve as a first-stage payload, which would enable the attackers to plant the BitterRAT on the infected host. When this is completed, the operators of the...

The GEROSAN Ransomware is one of the most recently spotted file-encrypting Trojans on the Internet. A growing number of cyber crooks are pumping out ransomware threats as they are seen as a high-prize low-risk type of endeavor, which is likely to generate them some good revenue. Propagation and Encryption Once the GEROSAN Ransomware was uncovered, malware researchers began studying it and concluded that this data-locking Trojan is a variant of the notorious STOP Ransomware. They are not sure which are the infection vectors employed in the spreading of the GEROSAN Ransomware. Some have speculated that the most common methods of propagating this threat may be at play in the case of the GEROSAN Ransomware too – fake software updates, bogus pirated copies of popular applications and mass spam email campaigns. When the GEROSAN Ransomware...

Xilbalar.com is a website that does not host any unsafe content, but it hosts a vast myriad of potentially unwanted advertisements. If you have found yourself on the Xilbalar.com, it is likely because you have been browsing other Web pages with dodgy content such as adult entertainment and sites involved in the distribution of pirated applications and media. Websites with dubious content usually form a network and promote each other on their platforms. As soon as the Xilbalar.com get access to your system, it will begin bombarding you with advertisements of all types – pop-up ads, constant browser notifications, flashing windows, etc. Sometimes, these advertisements would involve pornographic content or other potentially disturbing imagery. Apart from this, the Xilbalar.com also is likely to promote pages that are other shady services...

On August 23 web hosting provider Hostinger announced suffering a significant data breach that could have potentially affected a huge number of its customers. In the wake of the incident, Hostinger reset its users' passwords as a safety measure. The official statement from the hosting company informed that a hacker gained access to Hostinger's internal API and through that reached a server containing hashed passwords, as well as additional "non-financial" customer information. The extent of the affected information includes users' provided first and last names, as well as chosen usernames, their IP addresses, hashed passwords, and contact information. Passwords have been hashed using the...

During the 27th annual DefCon computer security conference, researchers working with Eclypsium exposed serious vulnerabilities they discovered in a variety of Windows drivers. The main flaw outlined in the report was that drivers allowed applications running with low privileges in the userspace portion of the system to gain unwarranted access to the system kernel. Drivers operate on a different level than regular software like, for example, Microsoft Office does, so the design flaw in the few dozen drivers mentioned in the report allowed bad actors to slip through, exploiting the flaw in the driver's design, and gain full access to the compromised system. All the problematic drivers were...

There are many individuals with shady intents looking to make a buck on the Internet. It is not just cybercriminals developing different malware or characters creating various dubious software. There also are websites with dodgy content. An example of this is the Gloyah.net Web page. The one and only goal of this website is to trick the user into giving it permissions to send the person notifications and pop-up advertisements. Gloyah.net's author has opted to use a popular URL shortening service, namely Adf.ly, that also offers monetization options. However, the Adf.ly is a legitimate website that provides a legitimate service and is in no way related to the Gloyah.net. The more you browse low-quality Web pages, the higher the chance is to come across the Gloyah.net page. Such pages often work in cooperation with various shady...

MicroLeaves is an application that falls under the category of adware. This means that this application is threatening and will not harm you or your system. However, this does not mean that MicroLeaves has no negative effects on one's browsing quality. On the contrary, the MicroLeaves application can prove to be quite an irritating pest. The MicroLeaves may pester you with ads that it is able to inject in your Web browser's tabs. It also can use page redirects, as well as other online marketing methods to present you with as many advertisements as possible. Despite this not being considered as an inherently unsafe activity, it will likely cause great irritation. Applications with dubious content like the MicroLeaves application usually end up on users' system via software bundles containing different freeware. This is not the only way,...

Gretaith.com is a website that hosts advertisements and promotes them on various low-quality websites. If you browse such Web pages, you may have stumbled upon Gretaith.com's advertisements. This is not such a huge issue, as you will have the option to close said advertisements. However, the Gretaith.com website, like many other dubious websites, uses social engineering techniques to trick users into granting them special permissions. One of its methods is to prevent the user from viewing certain content, like a video or a song, unless they provide Gretaith.com with permission to display notifications. Once the user falls for this trickery, the Gretaith.com will not hesitate to begin bombarding them with advertisements for all shady services and products. It is likely that the Gretaith.com activity on your system is not caused by any...

Browsing shady websites often may expose you to various digital content that you are not used to seeing. For example, Hatnofort.com is a page to known to host exactly content of this sort – it may display a video player that is said to contain interesting media content. However, the user is not allowed to view it unless they complete a certain action – the Hatnofort.com page asks them to click the 'Allow' button on a prompt that demands to authorize Hatnofort.com to display browser notifications. While this may not be considered a big deal, meeting this requirement will enable the Hatnofort.com's authors to push all advertisements by using your browser's integrated notification feature. The advertisements that Hatnofort.com promotes may vary, but they are likely to have one thing in common – they will show up no matter if your browser...

The Estemani Ransomware is a file-locking Trojan, which targets a very long list of file types. This ensures maximum damage once it manages to infiltrate a user's system. This data-encrypting Trojan propagates itself by masquerading as different content such as pirated applications, game cracks, cheat codes for popular games, and archives in the shape of a '.zip' files. When the Estemani Ransomware compromises a computer, it will scan it to locate the file types, which will later be locked. Then, the encryption process will take place. Once the Estemani Ransomware encrypts a file, it changes its name by adding a '.estemani' extension at the end of the filename. Then, the Estemani Ransomware drops a ransom note. The note is named 'HOW_DECRYPT_FILES.txt,' which contains the ransom message of the attackers that reads: ’Greetings, We are...

Cybersecurity companies are continually scanning the online environment to find new malware threats that could put user privacy at risk and to understand the typical distribution vectors through which such attacks are conducted. Recently, researchers have come across a new piece of malware that resembles strongly other already known credentials stealing threats. However, the analyzed sample seems unique not only in that it targets specifically the Google Chrome browser, unlike other known threats that aim at all popular Internet browsers, but also in the technology that it uses. This new threat is not obfuscated and should theoretically get blocked by anti-malware solutions. However,...

In mid-August, a large amount of credit card credentials was put up for sale on the underground web. The credentials were reportedly stolen from various hacked facilities belonging to Des Moines-based supermarket chain Hy-Vee. In mid-August, Hy-Vee officially announced that it suffered a security breach and data was extracted, including customer information processed by the electronic systems used by some Hy-Vee gas pumps and drive-thru restaurants. As of the announcement, the company had not yet determined the exact scope of the breach or its starting point. The usual approach bad actors use in this sort of scenario is the remote installation of malicious software on the devices that...

Cybersecurity researchers warn about a new e-mail spam campaign detected in the middle of August 2019 in which online scammers pretend to be agents of the Internal Revenue Service (IRS). The goal of this new tax-related scam is to download malware on the victim's computer, as well as to collect sensitive user data. Like in a typical phishing campaign, imposters send taxpayers e-mail messages claiming to contain important information about their tax refunds, online accounts, or electronic returns. In order to look authentic, the e-mails include links to websites that strongly resemble IRS.gov pages, as well as temporary passwords through which the users are asked to access the relevant...

The majority of users on the Internet tend to neglect updating their software and their operating systems. It may be a tedious task to keep all your applications up to date, but it is necessary if you want to keep malware away from your system. Since there are so many people who fail to do this, cyber crooks have tailored special malware targeting systems running outdated software or outdated operating systems. A new variant of Asruex that was spotted by security researchers in the summer of 2019 uses specific vulnerabilities in MS Office and Adobe products to infiltrate its victims' systems. In the past Asruex attempted various infection vectors, including malicious shortcuts, hijacked digital certificates and executable HTML files. In August 2019, researchers working with Trend Micro found a new variant of Asruex that was distributed...

There is an ever-increasing interest in ransomware threats, and this is clear to see as there are new data-locking Trojans pumped out on a daily basis. Malware researchers are struggling to keep up and analyze all the newly emerging ransomware threats. Their goal is to develop publicly available decryption tools to help the victims of ransomware, but this is truly an uphill battle for cybersecurity experts. Propagation and Encryption One of the most recently spotted ransomware threats is the SGUARD Ransomware. Researchers have not yet determined the infection vectors utilized in the propagation of the SGUARD Ransomware. It is highly likely that the creators of the SGUARD Ransomware have employed mass spam email campaigns, bogus software updates, and fake pirated copies of legitimate applications to spread this new file-encrypting...