Neras Ransomware

Recently, malware researchers spotted another data-encrypting Trojan. It is called the Neras Ransomware and when further dissected it became apparent that this ransomware threat is a variant of the infamous STOP Ransomware. It not possible to confirm what propagation method has been employed in spreading the Neras Ransomware. However, it has been speculated that the authors of the Neras Ransomware may be using emails containing infected attachments, bogus application updates, and corrupted pirated software as the means of spreading their creation. If this file-locking Trojan infiltrates a machine successfully, it will scan it to determine the locations of the files, which it has been programmed to go after. Once this step is completed, the Neras Ransomware will begin encrypting the data targeted. When the Neras Ransomware locks a file,...

Posted on June 20, 2019 in Ransomware

Plurox

Any experienced cybersecurity expert knows that dealing with malware that uses a modular design is always a fascinating task. Since creating malware like this requires a fair bit of experience and expertise, encountering one is not a very common occurrence. Furthermore, such malware samples are likely to have some exciting features to explore. Such threats also are likely to make use of interesting techniques and vulnerabilities so that this is another reason why the Plurox backdoor may turn out to be a very peculiar prospect. Malware experts have not yet determined what infection vector is being employed in spreading the Plurox threat. However, it has been confirmed that the authors of the Plurox backdoor have been using the popular exploits EternalSilence and EternalBlue. These exploits allow the threat to propagate itself to all the...

Posted on June 19, 2019 in Backdoors

KOMPROGO

There has been one main actor, in the shape of a hacking group, which has been terrorizing government institutions, media companies, and businesses in the region of South East Asia. This actor is the infamous hacking group OceanLotus, also dubbed APT32 (Advanced Persistent Threat). OceanLotus has a large arsenal of hacking tools. Among them is the KOMPROGO backdoor Trojan. This is a hacking tool, which the OceanLotus group uses rather often in its threatening campaigns. In 2016 one of the more notable cases of attacks involving the KOMPROGO malware took place. The OceanLotus group targeted a Filipino private business and employed the KOMPROGO Trojan in this attack. The KOMPROGO Trojan can determine whether the system it has infiltrated is a sandbox, an environment used for debugging malware. This is a self-preservation technique, which...

Posted on June 19, 2019 in Malware

COPAN Ransomware

Recently, a brand-new ransomware threat was spotted circulating the Web. It has been dubbed the COPAN Ransomware, and it appears to be a variant of the DCRTR-WDM Ransomware. It is not yet confirmed with any certainty which infection vector may be at play in spreading the COPAN Ransomware, but it is being speculated that the propagation methods employed by the cyber crooks responsible for this threat may be spam email campaigns, infected pirated software and bogus application updates. The COPAN Ransomware will begin scanning the system, which it has infiltrated. The scan will determine the locations of the files, which will be targeted for encryption by the COPAN Ransomware. Then, the COPAN Ransomware will begin locking the data that was targeted. When a file is locked, its name will be changed. The COPAN Ransomware adds an extension at...

Posted on June 19, 2019 in Ransomware

LooCipher Ransomware

Malware researchers have uncovered a new data-locking Trojan recently. Its name is LooCipher Ransomware, which appears to be a humorous spinoff of one of the alternative names of Satan – Lucifer. It seems that the LooCipher Ransomware does not belong to any of the popular ransomware families. Cybersecurity experts have not been able to determine what the exact methods of propagation of the LooCipher Ransomware are, but it is highly likely that the infections vectors used for spreading this file-encrypting Trojan may be the usual suspects – spam email campaigns, faux software updates and corrupted pirated applications. If the LooCipher Ransomware manages to infiltrate a PC, it will scan it to determine the locations of the files, which it has been programmed to go after. Once this is completed, the LooCipher Ransomware will start...

Posted on June 19, 2019 in Ransomware

RMS RAT

One of the common methods that cyber crooks use for spreading malware is disguising it as legitimate software. Sometimes just the interface is copied while the code is different completely, but sometimes cybercriminals tweak the code of legitimate applications and modify it in ways that would make it useful for their harmful campaigns. The creators of the RMS RAT (Remote Access Trojan) have taken up the latter approach. The cybercriminals behind the RMS RAT have used a widely known Russian tool that provides remote access named 'Remote Manipulator System' as a basis for their creation. The legitimate variant of the 'Remote Manipulator System' tool requires the consent of both parties involved to establish a connection. However, the authors of the RMS RAT have modified the original tool, and they no longer need the permission or even...

Posted on June 18, 2019 in Remote Administration Tools

Orion Ransomware

Malware experts in the field of ransomware have spotted a new data-locking Trojan. It is called the Orion Ransomware. When cybersecurity researchers studied this threat, they concluded that it is a variant of the Major Ransomware. It is not yet known with any certainty what is the exact method of propagation used in the campaigns spreading the Orion Ransomware. It is, however, believed that the cybercriminals who created the Orion Ransomware might be spreading it via emails that contain corrupted attached files, bogus software updates and infected pirated applications. When the Orion Ransomware infects a system, it starts the attack by scanning it. The goal is to locate the files, which will then be encrypted. Once this is completed successfully, the encryption process is triggered into action. Once a file is locked by the Orion...

Posted on June 18, 2019 in Ransomware

VanillaRAT

The authors of the VanillaRAT have not released a ready-to-use threatening tool. Instead, they have opted to publish full source code that anyone can compile and use. They might have opted for this strategy with two things in mind: It would discourage unexperienced cybercrooks completely from trying their luck with this tool. It would allow experienced cybercrooks to analyze the code and see that there are not any unexpected backdoors that could harm their system. The project is written in C#, and the GitHub page where it is hosted contains extensive instructions on how to compile, configure and use the VanillaRAT. The VanillaRAT is a rather sneaky threat, it is capable of infiltrating a system and remaining under the radar of the victim by not inconveniencing the user in any obvious manner. The VanillaRAT also has a number of...

Posted on June 18, 2019 in Remote Administration Tools

Horon Ransomware

The Horon Ransomware is a recently spotted file-locking Trojan that has surfaced the Internet. When malware experts came across this new ransomware threat, they looked deeper into it and revealed that the Horon Ransomware belongs to the notorious STOP Ransomware family. It is yet to be determined with full certainty what propagation method has been employed in the spreading of the Horon Ransomware. However, cybersecurity researchers speculate that the infection vectors used in propagating the Horon Ransomware may include mass spam email campaigns, faux application updates and infected pirated software. Once the Horon Ransomware gains access to a host, it will perform a quick scan. This scan will determine where the files, which the Horon Ransomware is meant to target, are located. Then, the Horon Ransomware will proceed the attack by...

Posted on June 18, 2019 in Ransomware

WSH RAT

Recently, a new RAT (Remote Access Trojan) emerged on a couple of underground hacking forums. It goes by the name WSH RAT and is being marketed as a hacking tool with several different capabilities, including infecting the host with additional malware, as well as collecting sensitive data like usernames and passwords. Closer examination of the WSH RAT's source code revealed that it uses identical function names and methods as H-Worm (Houdini Worm) which, is a piece of malware that gained traction back in 2013. The authors of the WSH RAT know how to make an offer, which is difficult to resist, at least for other cyber crooks. They rent out the full version of the WSH RAT for just $25 a month. This would allow their clients to employ the WSH RAT in as many campaigns as they wish for the duration of the month they have pre-paid for. There...

Posted on June 17, 2019 in Remote Administration Tools

All-in-One Ransomware Removal Tool

Ransomware threats have been gaining increasing popularity among cyber crooks. They are seen as a way to make a quick buck on the backs of innocent users. However, not only are there new file-locking Trojans being spewed on a daily basis, but there are ill-minded actors who seek to cause further harm to people who have already fallen victim to ransomware threats. They do this by promoting bogus decryption tools. Recently, malware experts came across such a case on Reddit. A user was promoting an ‘All-in-One Ransomware Removal Tool’ as a legitimate way to recover the data that has been affected by a ransomware threat. The creators of the All-in-One Ransomware Removal Tool go by the name ‘mEGAlYthIc pRoDuCtIoNS.’ First of all, the fact that this supposed ‘decryption tool’ claims to be able to decrypt files locked by ‘all’ ransomware...

Posted on June 17, 2019 in Potentially Unwanted Programs

0day Ransomware

Malware researchers have spotted a new data-locking Trojan emerging. This ransomware threat is called the 0day Ransomware. When dissected, the 0day Ransomware revealed that it belongs to the widely popular Dharma Ransomware family. It is not clear how exactly the 0day Ransomware is being spread, but cybersecurity experts believe that the infection vectors employed in propagating the 0day Ransomware may include mass spam email campaigns, infected pirated software, as well as faux application updates. When the 0day Ransomware manages to infect a system, it will trigger a scan. The idea behind the scan is to locate the files, which the 0day Ransomware was programmed to go after. When this step is completed, the 0day Ransomware will continue the attack by encrypting the data targeted. When the 0day Ransomware locks a file, it changes its...

Posted on June 17, 2019 in Ransomware

HACK Ransomware

A new ransomware threat has surfaced the Internet – the HACK Ransomware. When malware experts came across the HACK Ransomware, they decided to look into it and discovered that this data-encrypting Trojan is a variant of the infamous Dharma Ransomware. Cybersecurity researchers are yet to know with certainty what is the infection vector used in propagating the HACK Ransomware. However, some speculate that the authors of the HACK Ransomware are spreading their threat via spam emails containing infected attachments, bogus software updates and corrupted pirated applications. Once the HACK Ransomware infiltrates a machine successfully, it begins the attack by scanning it. The purpose of this is to locate the files, which will later be encrypted. When this is through, the encryption process begins. After encrypting a file, the HACK...

Posted on June 17, 2019 in Ransomware

HAWKBALL

HAWKBALL is a backdoor Trojan. HAWKBALL's main purpose is to obtain information about the infected device and then deliver a secondary payload. PC security software has mostly responded to HAWKBALL and has been updated to detect and remove HAWKBALL. This is what makes having the latest security updates for all security software an essential part of stopping threats like HAWKBALL. However, HAWKBALL is part of an ongoing malware campaign, and it is very likely that it will continue to be updated and new targets selected for HAWKBALL attacks. Why HAWKBALL is Threatening HAWKBALL is being distributed through spear-phishing email campaigns, targeting specific victims. HAWKBALL attacks are targeting Russian government entities located in Central Asia currently, and it is very likely that the individuals deploying HAWKBALL attacks are...

Posted on June 14, 2019 in Trojans

Echobot

Echobot is one of the many botnets that were based on the Mirai botnet, a botnet that was quite active in 2016 and spawned numerous copycats after the arrest of its creators. Mirai, at some point, managed to infect more than two million devices. The creators of Mirai released the code for this botnet. Echobot is just one of the many botnets based on Mirai after its code became public. How Echobot Carries Outs Its Attack Echobot is nearly identical to the Mirai malware. As part of the Mirai Botnet attack, Linux will be installed on the infected device, as well as various applications such as a Web proxy and software used to carry out DDoS attacks. While Mirai was mostly limited to the so-called Internet-of-Things, or devices that are not personal computers, Echobot carries out attacks on a wider variety of targets and has software...

Posted on June 14, 2019 in Botnets