Poop Ransomware

The Poop Ransomware is an encryption ransomware Trojan. The Poop Ransomware uses a strong encryption algorithm to make the victim's files inaccessible, essentially taking them hostage. The Poop Ransomware then demands a ransom payment in exchange for restoring the data it has captured. How the Poop Ransomware Attacks a Computer The Poop Ransomware can be delivered in many ways, including corrupted spam email attachments or direct attacks on a device. Once the Poop Ransomware is installed, the Poop Ransomware runs a scan of the victim's computer, searching for the user-generated files. The Poop Ransomware uses the AES encryption to encrypt any file it finds, adding the file extension '.poop' to each file compromised by the attack. The Poop Ransomware targets the files below in this attack: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp,...

Posted on June 14, 2019 in Ransomware

Vesad Ransomware

The Vesad Ransomware is an encryption ransomware Trojan. The Vesad Ransomware was first released in June 2019. The Vesad Ransomware is one of the many variants in the STOP family of encryption ransomware. How the Vesad Ransomware Carries Out Its Attack The Vesad Ransomware carries out a typical encryption ransomware attack, using a strong encryption algorithm to make the victim's files inaccessible and then demanding a ransom payment from the victim. Initially, the Vesad Ransomware scans the victim's computer in search of the user-generated files, which may include files with the following file extensions: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd,...

Posted on June 14, 2019 in Ransomware

ShellTea

PoS (Point-of-Sale) malware is a rather direct method of stealing cash and is preferred by some cybercriminals and hacking groups. This threat works by infiltrating a PoS machine and collecting the sensitive information of the credit cards it services. Often, the cyber crooks target the hotel industry. High-end hotels are the most sought-after victims as they are likely to deal with rich clients with fat bank accounts. FIN8 is a hacking group, which is known for having an appetite for this cybercrime. The last campaign of the FIN8 group was spotted back in 2017. They employed the PunchBuggy and ShellTea backdoors in an attack targeting the hospitality sector. It was speculated that the FIN8 hacking group might have dissolved because they had been inactive since 2017. However, it turned out that the FIN8 group is alive and well. This...

Posted on June 13, 2019 in Trojans

Skipper

The Turla hacking group is one of the most infamous actors in the world of cybercrime. They have been given the APT (Advanced Persistent Threat) title by cybersecurity experts. This APT is believed to originate from Russia and is likely to be working with the Russian Government. The reason this is so widely believed is because of the targets that the Turla hacking group goes after. Most of the victims of the Turla APT are linked to politics in one way or another. Often, the targets are political actors in ex-Soviet states, as well as Western government entities. This is why malware experts believe that the efforts of the Turla APT are directed into furthering the political interests of the Kremlin. This hacking group is well-known for its affinity to use old hacking tools alongside new ones. They tend to update their cyber-threats...

Posted on June 13, 2019 in Trojans

Armageddon Ransomware

Recently, malware experts happened upon a new ransomware threat. This file-encrypting Trojan appears to be based on the HiddenTear Ransomware – an open source ransomware project. It is not known exactly what propagation method is employed in spreading the Armageddon Ransomware, but it is speculated that some of the methods used may be fraudulent software updates, corrupted pirated applications and spam email campaigns. When a machine is infiltrated by the Armageddon Ransomware, it would be scanned with the end goal of locating the files, which will be encrypted in the next step of the attack. Once that is done, the encryption process will be executed. The Armageddon Ransomware alters the names of the files it locks. When the encrypting of the data is completed, the Armageddon Ransomware launches a pop-up window, which serves as a...

Posted on June 13, 2019 in Ransomware

‘Unlock11@protonmail.com' Ransomware

Malware researchers have come upon another emerging data-locking Trojan recently. This threat is called the ‘Unlock11@protonmail.com’ Ransomware. This malware does not seem to belong to any of the famous ransomware families. It is not confirmed what infection vectors are employed in propagating the ‘Unlock11@protonmail.com’ Ransomware. However, it is likely that the creators of the ‘Unlock11@protonmail.com’ Ransomware may be relying on spam emails containing corrupted attachments, faux application updates, and infected pirated software to spread their threat. Once a system is infiltrated by the ‘Unlock11@protonmail.com’ Ransomware, the threat would begin a scan. The scan is meant to determine the locations of the files, which the ‘Unlock11@protonmail.com’ Ransomware is targeting. Then, the ‘Unlock11@protonmail.com’ Ransomware would...

Posted on June 13, 2019 in Ransomware

Warning: Digitally Signed Malware is On the Rise

Code signing is, theoretically, a great tool for discriminating between legitimate executables and suspicious, potentially harmful malware. However, recent submissions to online threat databases show a worrying trend - an increasing number of real malware is being distributed with very real certificates issued from real authorities. Over the course of roughly 12 months VirusTotal, a service that collects, catalogs and analyses threat samples using a variety of tools and methods, has accumulated nearly 4000 different pieces of malware that have all been digitally signed by legitimate certification authorities. The institutions issuing those certificates included Entrust, DigiCert, Go Daddy, GlobalSign, Sectigo and VeriSign. The data comes from a report published by Medium's Chronicle Blog. There may be more Digitally-Signed Malware than...

Posted on June 13, 2019 in Computer Security

IPStorm

Some more dedicated cybercriminals focus their efforts into building large-scale botnets, which can be used for various purposes and prove to be very profitable. However, building up a sizeable botnet and then maintaining it is not achievable easily. This is why not many cyber crooks have succeeded in this task. Botnets can be employed in different operations. A very common one is using a botnet for a DDoS (Distributed Denial of Service) attacks. Other times the hijacked machines can be used for mining cryptocurrency, which is then sent to the operator of the botnet. However, when spotted, it may not be evident what the purpose of a botnet is. This is the case of the IPStorm botnet – malware researchers are yet to identify what operations this botnet is involved in. It has not been confirmed how this threat is being propagated. The...

Posted on June 12, 2019 in Malware

PCASTLE

PCASTLE is not the most sophisticated malware when it comes to the way it was created - its sole function is to execute a series of PowerShell commands that perform the actions that will be discussed in this post. Ever since cryptocurrencies gained traction, cybercriminals have been finding more and more ways to misappropriate them or generate them on the backs of unsuspecting users. In its essence, the PCASTLE malware is a Trojan cryptocurrency miner. It is not known with certitude how the PCASTLE malware is being propagated exactly, but cybersecurity experts have identified whom the target is – computers located in China. Out of all identified victims of the PCASTLE threat, 92% are machines with Chinese IP addresses. Once the PCASTLE Trojan lands on a host, it executes the XMRig mining tool to start mining the cryptocurrency of...

Posted on June 12, 2019 in Malware

Html Ransomware

Malware researches have come across a new threat recently, which they called the Html Ransomware. When it was dissected, the Html Ransomware revealed that it is a variant of the very widely known Dharma Ransomware. Cybersecurity experts have not been able to identify the infection vector employed in spreading the Html Ransomware, but it is speculated that the authors of the threat may be using spam email campaigns, bogus software updates, and corrupted pirated data to propagate their creation. Once the Html Ransomware gets access to a computer, it starts off the attack by performing a scan on the data present on the system. When the scan is completed, the Html Ransomware would have located all the files, which it intends to encrypt. Then, the Html Ransomware would begin the encryption process. When a file undergoes the encryption...

Posted on June 12, 2019 in Ransomware

Bisquilla Ransomware

Recently, cybersecurity experts happened upon a new ransomware threat – the Bisquilla Ransomware. Unlike most newly emerging malware of this type, the Bisquilla Ransomware appears to be a project started from scratch, rather than a slightly altered variant of an already existing file-locking Trojan. Most ransomware authors have been getting rather lazy recently, and instead of creating their own threats, they rely on already established data-encrypting Trojans like the Dharma Ransomware or the STOP Ransomware to build their threats on. The Bisquilla Ransomware is an exception to this rule. This threat is disguised as a Google Chrome updater. When the Bisquilla Ransomware infiltrates your system, it will present you with a pop-up window, which states ‘Please relax and enjoy a warm cup of tea while I encrypt your files. Do not turn off...

Posted on June 12, 2019 in Ransomware

ICEFOG

ICEFOG (also called Fucobha) is a threat that has been familiar to malware researchers for a while now. This threat has been around since 2013 and is believed to originate from a Chinese-speaking hacking group also named ICEFOG. The ICEFOG malware did not manage to stick around for long and was believed to be an abandoned project. However, a reputable malware expert has released a statement that two updated variants of the ICEFOG malware have been spotted recently. The new versions of the ICEFOG threat are believed to have been used in campaigns in 2014 and 2018. There is evidence that new variants are being used by several different APTs (Advanced Persistent Threat), not just by the original creators of the ICEFOG malware. The new and updated versions of the ICEFOG malware are called ICEFOG-M and ICEFOG-P. They pack a serious number...

Posted on June 11, 2019 in Malware

GoldBrute

Often, the first place where cybercriminals look to penetrate a machine running Windows is via Microsoft’s RDP (Remote Desktop Protocol). One of the most significant Windows OS vulnerabilities to be unveiled in the past few months is BlueKeep. Exploiting this vulnerability would potentially enable malware to spread laterally and amplify its reach and the harm it causes greatly. Recently, the Remote Desktop Protocol has been targeted by cyber crooks again and much to the surprise of malware experts, the attackers have not exploited the BlueKeep vulnerability. This latest campaign is remarkable in its scale, but the cybercriminals have decided to keep it simple this time. The activity of a huge botnet was spotted by cybersecurity experts recently. The botnet in question is called GoldBrute. The GoldBrute botnet locates RDP-enabled...

Posted on June 11, 2019 in Botnets

Myskle Ransomware

Cybersecurity researchers have come across a new data-encrypting Troja recently. This threat was given the name Myskle Ransomware. It is likely that this new ransomware threat is a variant of the well-established STOP Ransomware. It is not yet clear what infection vector is employed by the cyber crooks responsible for the Myskle Ransomware, but malware experts believe that this file-locking Trojan may be propagated via spam emails containing infected attachments, bogus software updates and corrupted pirated content. Once the Myskle Ransomware penetrates a system successfully, it begins the attack with a scan. The idea behind the scan is to locate the files, which are targeted for encryption. After completing the scan and locating the desired files, the Myskle Ransomware would begin encrypting them. This threat adds an extension at the...

Posted on June 11, 2019 in Ransomware

Muslat Ransomware

Recently, malware researchers have spotted a new ransomware threat emerging, which has already claimed one victim in Morocco. This new data-locking Trojan was dubbed Muslat Ransomware, and when further examined, this ransomware threat revealed to be a part of the infamous STOP Ransomware family. It is not known with full certainty what propagation method have the cyber crooks responsible for the Muslat Ransomware applied in spreading their creation, but experts speculate that the infection vectors may include mass spam email campaigns, alongside pirated software and faux app updates. When the Muslat Ransomware infiltrates the targeted host, it begins scanning the system. The purpose of the scan performed by the Muslat Ransomware is to determine the locations of the files, which will be targeted for encryption. When the scan is...

Posted on June 11, 2019 in Ransomware