GAMEFISH

GAMEFISH (which also goes by the name Downrage) is a tool that belongs to the infamous hacking group Fancy Bear, also known as APT28 (Advanced Persistent Threat) and Sofacy. Fancy Bear is believed to originate from Russia and is known to have been active since 2004 so that it is fair to say that they are not new to this. These cyber crooks have a particular taste for high-profile political targets. This has lead malware experts to believe that Fancy Bear may be linked to the Russian Government and is likely operating on their behalf, to further Russian interests globally. One of Fancy Bear’s big-scale operations that took place rather recently was their attack launched against certain French political actors before the presidential elections in France in 2018. It is likely that the GAMEFISH tool is used in the first stage of an attack...

Posted on June 10, 2019 in Malware

Boston Ransomware

Malware experts have discovered a new ransomware threat circulating the Web recently. This new file-locking Trojan was dubbed the Boston Ransomware, and when it was further dissected, it became clear that this threat belongs to th STOP Ransomware family. It is not yet clear how the authors of the Boston Ransomware are propagating their creation exactly. However, experts speculate that pirated software, mass spam email campaigns, and bogus software updates may be at play here. Once the Boston Ransomware infiltrates a host, it starts scanning the system. The reason of this scan is to determine the locations of the files this threat was programmed to target. Then, the Boston Ransomware will start encrypting the data targeted. When the Boston Ransomware locks a file, it applies an extra extension at the end of the file name – ‘.boston.’...

Posted on June 10, 2019 in Ransomware

Heroset Ransomware

Heroset Ransomware is a recently uncovered data-encryption Trojan. When malware experts studied this threat, they concluded that the Heroset Ransomware is a variant of the very popular STOP Ransomware. Cybersecurity researchers cannot confirm with full certainty how the Heroset Ransomware is being spread. However, it is like that the authors of the threat may be employing faux software updates, infected pirated content, and spam emails as an infection vector. If the Heroset Ransomware infiltrates a system successfully, it will start the attack by performing a scan. The scan is meant to locate all the data, which the Heroset Ransomware will later encrypt. Once this step is completed, the Heroset Ransomware will begin the encryption process. After the encryption process is through, you will notice that the names of your files have been...

Posted on June 10, 2019 in Ransomware

Beware: Scammers are Aggressively Targeting Senior Citizens

The United States Special Committee of Aging released a report for the 2018 top scams that affected seniors. The information was based on reports to their toll-free hotline where people shared their issues with fraudsters. There are things users can do to prevent becoming a target or falling victim to scammers, such as the following: IRS Impersonation scams If you happen to receive a call that claims to be the IRS, you should hang up the phone immediately. The agency normally contacts people by letter, not using phone calls. A representative of the IRS will never call taxpayers to make demands of payment, requesting prepaid debit cards, gift cards or issuing threats. Unsolicited phone calls Users should never give out any personal information whenever an unsolicited phone call comes around. If the caller makes claims that they belong...

Posted on June 10, 2019 in Computer Security

BabyShark

A new hacking tool was spotted by malware researchers recently. Dubbed the BabyShark malware, this threat is believed to originate from North Korea. One of the justifications for these speculations is that there have been two other threats uncovered, which have stark similarities to the BabyShark malware and come from North Korea. They are called the KimJongRAT and STOLEN PENCIL. It appears that the hackers behind the BabyShark may be linked to the North Korean government. This deduction is based on the fact that the targets of this threat are political mainly. The BabyShark malware is targeting organizations, which are linked to the discussions of the denuclearization of North Korea, especially. The infection vector employed by the authors of the BabyShark is spear-phishing emails, which contain an infected attachment in the shape of...

Posted on June 7, 2019 in Malware

KimJongRAT

The KimJong malware is a RAT (Remote Access Trojan) that is likely to originate From North Korea The KimJong malware has been involved in similar campaigns of another threat that is likely North Korean – the BabyShark malware. The BabyShark malware targeted entities, which were linked to the proposed denuclearization of North Korea. It was discovered that many of the systems infected with the BabyShark malware also were infiltrated by the KimJongRAT. When these campaigns were further studied, malware experts found out that the two threats worked in unison – the BabyShark malware allowed the KimJongRAT to gain access to the compromised systems. Having in mind the political nature of the targets, it is easy to speculate that the attackers may be linked to the North Korean government in some way. It would seem that the authors of the...

Posted on June 7, 2019 in Remote Administration Tools

Euclid Ransomware

The Euclid Ransomware is a recently uncovered data-encrypting Trojan. When malware experts dissected this threat, they found out that the Euclid Ransomware is not a member of the families of popular Ransomware threats. Cybersecurity researchers are not yet able to confirm what the infection vector employed by the authors of the Euclid Ransomware is. It is being speculated that the attackers may be using bogus software updates, as well as infected pirated data and spam email campaigns. When the Euclid Ransomware gains access to a system, it will begin a scan immediately. When the scan is through, the Euclid Ransomware would have located all the files, which it will target. Then, the Euclid Ransomware begins encrypting the targeted data. When a file is encrypted by this threat, you will notice that its name will be altered. The Euclid...

Posted on June 7, 2019 in Ransomware

DDT Ransomware

Recently, a new data-locking Trojan has been discovered by malware researchers. It was given the name the DDT Ransomware. Upon further inspection, cybersecurity experts concluded that the DDT Ransomware is a variant of the infamous Globe Imposter 2.0 Ransomware. It cannot be confirmed what propagation method has been employed in spreading the DDT Ransomware, but it is likely that the authors of the threat may have used spam email campaigns containing corrupted attachments, faux software updates, and pirated software to spread their creation. If the DDT Ransomware penetrates a system successfully, it will begin its attack by scanning it. The scan is meant to find the locations of all the files, which the DDT Ransomware was programmed to lock. When the data is located, the DDT Ransomware will begin the encryption process. When the DDT...

Posted on June 7, 2019 in Ransomware

Krypton Stealer

The Krypton Stealer is likely a Russian made info stealer. Its authors are selling the Krypton Stealer on Russian hacking forums. It is not specified what the exact price of this info stealer is but it is likely rather cheap, as tools of this type that are made in Russia tend to be sold at pretty low prices. The payment is required to be in the shape of Ethereum or Bitcoin. Having in mind how cheaply such hacking tools are usually sold, it is likely that many shady individuals will take advantage of this offer, which may result in thousands of victims worldwide. The Krypton Stealer is written in the C++ and C programming languages. It can be deployed in attacks against machines running Windows 7 and every other Windows version newer than that successfully. The main goal of the Krypton Stealer is to gather data from the compromised...

Posted on June 6, 2019 in Trojans

INPIVX Ransomware

The INPIVX Ransomware is a new and rather peculiar RaaS (Ransomware-as-a-Service) that appears to be distributed on the Deep Web. Most creators of RaaS tend to sell a ready to use threat and often require a fee in the shape of a percentage of the profit made by their clients using their service. However, the authors of the INPIVX Ransomware offer to sell the threat's source code for $500. They also claim to provide customer support for their clients so that they can help them set up the piece of malware to their liking. They also claim to provide their users with a manual regarding setting up the decryptor, administrator dashboard and payload. Thanks to this, it will not be impossible even for a person with no programming background to use this threat to its full potential. The clients who choose to buy the INPIVX Ransomware will have...

Posted on June 6, 2019 in Ransomware

Kjh Ransomware

Another file-locking Trojan has been uncovered by malware researchers. It was given the name Kjh Ransomware, and when they studied the threat, it became apparent that this seemingly new ransomware threat is a variant of the popular Dharma Ransomware. It has not been confirmed what propagation methods are employed in the spreading of the Kjh Ransomware, although it seems that the authors of this data-encrypting Trojan have chosen to employ fraudulent updates, infected pirated content and spam email campaigns. When the Kjh Ransomware infects your system, as a first step of the attack, it will start scanning it. The purpose of the scan is to identify the locations of the files, which will later be encrypted. Having completed this step, the Kjh Ransomware would begin the encryption process. When a file undergoes the encryption process of...

Posted on June 6, 2019 in Ransomware

Pidom Ransomware

A new ransomware threat has emerged recently. Malware researchers gave it the name Pidom Ransomware. When they dissected it, they were not surprised to find out that this is yet another variant of the infamous STOP Ransomware. Cybersecurity experts have not been able to disclose what the potential infection vector of the Pidom Ransomware is. However, they speculate that the authors of the Pidom Ransomware may be using spam email campaigns containing infected attachments, bogus software updates, and pirated software as a means to spread their creation. Once the Pidom Ransomware manages to gain access to a system, it will waste no time and begin scanning it. The goal is to locate all the files, which it was programmed to target for encryption. Then, the Pidom Ransomware would start encrypting the targeted files. When the Pidom Ransomware...

Posted on June 6, 2019 in Rogue Anti-Spyware Program

Magecart Card Skimmers Expand Attack Portfolio

Magecart is not the name of a new online shopping cart API, but the name of a network of cybercriminals who have been stealing credit card credentials for a few years now. One of the groups comprising the larger network that is known by the name of Magecart has been recently spotted by security researchers to use a new method of attack. Magecart now has the ability to inject retail websites with iframes that look like a regular credit card payment interface. The different approach used in this case is that Magecart doesn't scan for a legitimate payment form to substitute with one that can be skimmed. Instead, the iframe with the malicious payment form is dumped into the code of every PHP page but is only displayed when the page has a regular shopping cart check out form on it. The malicious frame is formatted in a way that should be...

Posted on June 6, 2019 in Computer Security

CinaRAT

Malware developers often borrow portions of code from other projects to make their work a bit easier and implement ready-to-use features without doing much coding. This is exactly what the authors of CinaRAT has done – they have used the source code of the QuasarRAT to set up the core functions of their product, and both of these threats share similar features. What is odd is that the CinaRAT software is not presented as a program used for unsafe purposes – the authors say that it is a free and easy-to-use remote administration tool, and there is no hint of harmful intent. However, taking a closer look at the CinaRAT’s features reveals an entirely different story. Usually, popular Remote Administration Tools offer remote desktop, chat session, screenshot capture and access to the other party’s audio. In addition to this, all of these...

Posted on June 5, 2019 in Remote Administration Tools

Zebrocy Go

The Zebrocy APT (Advanced Persistent Threat) is believed to be a Russian based hacking group. They seem to have teamed up with another Russian hacking group – the infamous Fancy Bear (also called APT28 or Safocy). Malware researchers speculate that Zebrocy and Fancy Bear are working together because they seemed to have very similar targets, launched their attacks almost at the same time, and the tools employed in these attacks were very alike. The Zebrocy APT is well-known for its ability to create malware using a wide variety of programming languages. Cybersecurity experts speculate that the reason behind this may be that the Zebrosy APT intends to begin targeting systems eventually, which run other operating systems apart from Windows. The Zebrocy group recently created a downloader in three different languages – AutoIT, Delphi and...

Posted on June 5, 2019 in Trojans