Isolated Ransomware

At the beginning of July 2019, cybersecurity experts detected a new data-encrypting Trojan. It goes by the name Isolated Ransomware and is a variant of the Aurora Ransomware. It is not yet known what are the propagation methods employed in the spreading of this file-locking Trojan. Some experts speculate that emails containing infected attachments, corrupted pirated software, and fraudulent application updates may be among the infection vectors involved in the propagation of the Isolated Ransomware. If the Isolated Ransomware succeeds in the compromising a system, it will start the attack by initializing a scan on the machine. This is done to locate the files, which the Isolated Ransomware was programmed to go after. The next step is the encryption process. The Isolated Ransomware will lock the files, which correspond to the file types...

Posted on July 4, 2019 in Ransomware

AndroMut

The TA505 is a hacking group that is known to have launched operations all around the globe - North America, South America, Asia and Africa. This infamous hacking group has launched a new Trojan downloader called AndroMut recently. When cybersecurity experts inspected the AndroMut it became evident that this new threat has a lot in common with a widely popular threat, which has been in action since 2011 – the Andromeda malware family. The AndroMut, however, is a much more simple piece of malware. The purpose of the AndroMut is to bypass any security checks present on the infiltrated machine, gain persistence, and serve as a backdoor for a payload, which would be sent from the C&C (Command & Control) server of the perpetrators. The AndroMut has already been linked to two campaigns. The first one targeted companies in South Korea. The...

Posted on July 3, 2019 in Malware

Godlua

In July 2019, malware researchers came across a new backdoor Trojan that goes by the name Godlua. They couldn’t determine the exact propagation method used in spreading this threat. There are indicators that machines running the Linux OS may be targeted via a new Confluence exploit. At first, the Godlua backdoor Trojan was only meant to infiltrate Linux PCs but then the authors of the updated their threat to be compatible with other operating systems (Windows computers and Internet-of-Things devices) to ensure that their creation is capable of infecting a maximum amount of machines. At first, cybersecurity experts regarded the Godlua Trojan as a cryptocurrency miner. Later, it turned out that this is not the case and that the Godlua backdoor was employed in DDoS (Distributed-Denial-of-Service) attacks targeting a Chinese Web page. This...

Posted on July 3, 2019 in Backdoors

Besub Ransomware

Having your files locked up by the Besub Ransomware is guaranteed to be an unhappy experience – this file-locker needs just a few minutes to encrypt the contents of numerous files, and then start to extort you for money. This project is a part of the STOP Ransomware family and, sadly, this means that it is unlikely that its victims will be able to rely on a free decryptor to assist them with the recovery of their files. While some of the STOP Ransomware families have been inactive fairly, the same cannot be said about the Besub Ransomware – there have been dozens of complaints about it just a day after it was first seen in the wild. The threat does not appear to target a specific region, and it would appear that its operators are using phishing emails, fake downloads, and pirated software to bring the threatening program to their...

Posted on July 3, 2019 in Ransomware

Cs16 Ransomware

At the beginning of July 2019, malware experts spotted a new data-locking Trojan. It is called the Cs16 Ransomware, and when researchers looked deeper into it, they discovered that it belongs to the Cryakl Ransomware family. It has not yet been confirmed what propagation methods are used in spreading the Cs16 Ransomware, but some speculate that spam emails containing a macro-laced document, infected pirated applications, and bogus software updates may be among the infection vectors employed in the propagation of this file-encrypting Trojan. Once the Cs16 Ransomware compromises a system successfully, it will scan it to locate the files, which will be targeted for locking. Then, the Cs16 Ransomware triggers the encryption process. When this Trojan locks a file, it changes its extension by adding 'email-3nity@tuta.io.ver-CS 1.6.-..cs16,'...

Posted on July 3, 2019 in Ransomware

Ratsnif

The OceanLotus hacking group, also known as APT32 and Cobalt Kitty, are believed to have been operating since 2013 and are responsible for several attacks carried out in the South East Asian region. The group is believed to originate from Vietnam, and it has been speculated that they may have links to the Vietnamese government and may be doing their bidding. The OceanLotus group tends to target companies operating in the hospitality sector, as well as businesses dealing with manufacturing. The Ratsnif RAT (Remote Access Trojan) is among the newest tools that the OceanLotus group has obtained. When it comes to the features that the Ratsnif Trojan packs, this threat is different from the other RATs that are linked to the OceanLotus hacking group’s operations. The Ratsnif RAT was first spotted back in 2016. Cybersecurity experts back then...

Posted on July 2, 2019 in Trojans

Alilibat Ransomware

The Alilibat Ransomware is one of the dozens of file-lockers based on the infamous Scarab Ransomware project. Unfortunately, the fact that the Scarab Ransomware has been around for over a year does not help at all when it comes to the decryption of the files it locks - this is still an impossible task in most cases, especially when dealing with a new variant such as the Alilibat Ransomware. The best way to counter ransomware attacks is to take preventive measures that it would make by impossible for a file-locker to either get on your system or cause long-term damage to your files. The former can be guaranteed with the use of a reputable anti-malware software suite, while the latter can be taken care of by remembering to backup your important files to safe storage (preferably offline or cloud storage) regularly. If it is tardy to take...

Posted on July 2, 2019 in Ransomware

Cago Ransomware

The Cago Ransomware is a recently emerged data-locking Trojan. Upon inspection, malware researchers concluded that the Cago Ransomware is not a variant of any of the popular ransomware threats. Infecting Your System It cannot be confirmed with any certainty what infection vectors have been used in spreading the Cago Ransomware. Some speculate that spam email campaigns, fraudulent software updates, and infected pirated application may be among the propagation methods used by the authors of this file-encrypting Trojan. When the Cago Ransomware infects a computer, it will scan it to detect the locations of the files that will be marked for encryption. Then, the Cago Ransomware will begin locking the targeted data. When the Cago Ransomware locks a file, it alters its name. This ransomware threat adds a ‘.CAGO’ extension to the newly...

Posted on July 2, 2019 in Ransomware

Chekyshka Ransomware

Recently, malware researchers spotted a new ransomware threat. It is called the Chekyshka Ransomware and does not appear to belong to any of the infamous ransomware families. It is likely that this threat originates from Russia because the etymology of the name means a small bottle of vodka in Russian. The Infection and Encryption Experts are not able to confirm what propagation method are the creators of the Chekyshka Ransomware using to spread this file-encrypting Trojan. Some believe that spam emails containing an infected attachment, corrupted pirated software, and bogus application updates may be among the infection vectors employed in propagating the Chekyshka Ransomware. If the Chekyshka Ransomware penetrates a system successfully, it will perform a scan. The objective of the scan is to locate the files, which will be encrypted....

Posted on July 2, 2019 in Ransomware

Skimer

Skimer is a piece of malware that targets ATMs and has been an active actor for many years now. The first time malware experts spotted the Skimer threat was back in 2009. While the Skimer malware has not developed through the years, ATM malware has improved greatly, in general. Most cybercriminals nowadays prefer emptying ATMs instead of skimming credit cards. Cybercrooks that target ATMs usually have to split in two groups – one who will have to insert a USB drive into the machine to deploy the malware physically, and one which will be behind a computer screen and operate the threat. Malware, which targets ATM, usually gains access to their system and manipulates the settings to get the machine to start pumping out cash. The Skimer malware manages to bypass the safety checks by authenticating itself using a rather innovative...

Posted on July 1, 2019 in Malware

OSX/CrescentCore

Many Apple users seem to have the false and sometimes unsafe conviction that their devices are immune to malware completely. This is why they have been vulnerable to threats online, particularly. Just in the past couple of days, cybersecurity experts have detected two new threats targeting Apple devices specifically – the OSX/SurfBuyer and the OSX/Linker. This goes to show that cybercriminals have a growing appetite for machines that run OSX because Apple users often tend to overlook their cybersecurity. Recently, another OSX malware was spotted – the OSX/CrescentCore Trojan. When the OSX/CrescentCore threat infiltrates a machine, it will first check if the system it has landed on is not a sandbox environment. If the machine is used for debugging malware, then the OSX/CrescentCore will halt its operations. If it is not, the threat will...

Posted on July 1, 2019 in Malware

DCOM Ransomware

The DCOM Ransomware is a newly discovered ransomware threat. Upon further inspection malware experts concluded that the DCOM Ransomware does not belong to any of the big ransomware families. The infection vector used in spreading the DCOM Ransomware has not been confirmed. However, some cybersecurity researchers believe that the authors of this threat may be employing faux software updates, corrupted pirated applications, and emails containing infected attached files to propagate their creation. If the users fall for the trickery of the DCOM Ransomware, the threat will gain access to their systems and scan it to locate the files, which it will later lock. Once the files are located successfully, the DCOM Ransomware will launch the encryption process. When the DCOM Ransomware encrypts a file, it alters its filename by adding an...

Posted on July 1, 2019 in Ransomware

Litar Ransomware

Cybersecurity researchers have spotted a new data-locking Trojan. It goes by the name Litar Ransomware. When the Litar Ransomware was dissected, it became clear that this is yet another variant of the infamous STOP Ransomware. There has already been one confirmed victim located in Argentina. Malware experts have not yet been able to confirm what infection vector is employed in propagating the Litar Ransomware. Some, however, speculate that the creators of this ransomware threat may be using the classic techniques – infected pirated application, bogus software updates, and spam email campaigns containing an infected attachment. Once the Litar Ransomware infiltrates a machine, it will search for the files it was programmed to lock by performing a scan. When the scan determines the locations of the files, which will be encrypted, the...

Posted on July 1, 2019 in Ransomware

Silex

Infiltrating vulnerable machines and hijacking them to add to a botnet has been a modus operandi of cybercriminals for many years now. Most botnets consist of infected PCs. However, some cyber crooks take up a different approach. Instead of targeting computers, they would target IoT (Internet-of-Things) devices. These are all sorts of household machines, which can connect to the Internet and be considered ‘smart devices.’ The largest known botnet, which consists entirely of IoT devices, is called the Mirai botnet with over 2.5 million infected machines at its peak. There is a rather interesting case involving a piece of malware called the BrickerBot. Instead of using the infected IoT devices for some harmful campaign, the creator of the BrickerBot opted to render them unusable just to make a point. Their reasoning is that users do not...

Posted on June 28, 2019 in Malware

ViceLeaker

Cybersecurity experts have spotted a new Android malware called ViceLeaker recently. Most Android malware is programmed to target as many victims as possible. However, it appears that this is not the case with the ViceLeaker malware. The authors of this threat have concentrated their efforts in one specific region – the Middle East, namely Israel. It is safe to say that this is an espionage campaign launched against Israeli citizens by an unknown party. In the summer of 2018, a threat that closely resembles the ViceLeaker had popped up. It was called Triout and operated in a very similar manner to the ViceLeaker malware. However, the victims of the Triout malware were not targeted specifically, which is the biggest difference between the Triout and the ViceLeaker malware. The ViceLeaker malware has a very impressive list of...

Posted on June 28, 2019 in Malware