A brand-new file-encrypting Trojan has been spotted by cybersecurity researchers recently. Its name is Kovasoh Ransomware, and it belongs to the STOP Ransomware family. Propagation and Encryption It has not yet been disclosed what the infection vectors used by the authors of the Kovasoh Ransomware to propagate their Trojan are. However, some believe that spam emails containing infected attachments, bogus software updates, and pirated copies of common applications may be some of the propagation methods employed in the spreading of the Kovasoh Ransomware. When this ransomware threat infiltrates your computer, it will start the attack with a scan. The purpose of the scan is to locate the files, which will later be encrypted. When this is done, the Kovasoh Ransomware will start locking the targeted data. Once the Kovasoh Ransomware...

The Nvetud Ransomware is a data-locking Trojan, which has been uncovered by malware experts recently. They dissected this threat and determined that it is a variant of the infamous STOP Ransomware. Propagation and Encryption Malware experts cannot determine what the exact infection vector used in the spreading of the Nvetud Ransomware is. It is likely that the creators of the Nvetud Ransomware may have used spam emails containing macro-laced attachments, fake application updates, and pirated bogus copies of legitimate software to propagate their file-encrypting Trojan. When the Nvetud Ransomware gains access to your system, it will perform a scan quickly, which is meant to locate all the data that this threat was programmed to target. Then, the Nvetud Ransomware will start encrypting the targeted files. Once a file has undergone the...

Recently, malware researchers spotted several campaigns targeting government institutions located in the East Asian region. It is likely that the Chinese hacking group called TA428 is responsible for these attacks. Propagation Method The infection vector appears to be spear-phishing emails. The targeted government workers would receive an email with a ‘.doc’ or ‘.rtf’ attachment, which they are urged to open. If the user falls for this trick and attempts to open the attached file, the attackers will use a known vulnerability in the Microsoft Equation Editor to plant a threat on the user’s computer. A Specially Crafted RAT In some of the launched campaigns, the threat that was planted on the victim’s system was the Poison Ivy RAT (Remote Access Trojan). However, the attackers have, apparently, decided to diversify their attacks and...

The AsyncRAT is a project that seems to have been developed with educational purposes, or at least that is what its creator is claiming on their GitHub page. The AsyncRAT’s code is available on the previously mentioned GitHub page publicly. Once malware experts reviewed the code, it quickly became clear that the AsyncRAT can serve as a very threatening tool if it falls in the hands of ill-willing individuals. Capabilities The AsyncRAT is not too different from most RATs out there, but this does not make it any less threatening. This threat is able to record your keystrokes as it possesses a keylogging module. This is usually used to collect login credentials and other sensitive data. The AsyncRAT can also record video via the webcam on the compromised system, as well as record audio using the microphone. This RAT also sports an info...

The Clipsa malware is a threat, which falls in the category of password collectors. The activity of the Clipsa malware seems to be concentrated in several regions – Brazil, India and the Philippines. The Clipsa malware project appears to be in its early stages, and it is likely that its authors may further weaponize this threat. Propagation Method The creators of the Clipsa malware have opted to disguise their threat as a fake media player or a fraudulent codec pack. The users are urged to install it if they want to be able to view the content on the website. Users online should be very wary of Web pages that require you to install additional software in order to view their contents as this is a commonly used trick to propagate various types of malware. Self-Preservation The Clipsa malware will store its corrupted files in system...

The Brusaf Ransomware is a data-locking Trojan that has emerged recently. Upon spotting this new threat, malware researchers dissected it to find that it belongs to the STOP Ransomware family. Propagation and Encryption Experts are struggling to determine the infection vectors that the attackers have used to spread their threatening creation. Some speculate that spam emails containing macro-laced attachments, as well as bogus application updates and fake copies of reputable software tools may be among the propagation methods that the authors of the Brusaf Ransomware may have employed. If the user falls for the tricks of the Brusaf Ransomware and gives it access to their system, all their data will be scanned swiftly. This way, the Brusaf Ransomware determines the locations of the files, which will be locked later. Then, the encryption...

Cybersecurity researchers spot new data-locking Trojans daily. One of the most recent ones goes by the name Masok Ransomware. When inspected, the Masok Ransomware revealed to be a variant of the STOP Ransomware. Propagation and Encryption It is yet to be determined with any certainty what is the specific propagation method that has been employed in the spreading of the Masok Ransomware. Some experts believe that the creators of the Masok Ransomware have used the conventional methods of propagating ransomware threats – mass spam email campaigns alongside bogus software updates and pirated fake copies of various applications. When the Masok Ransomware manages to infiltrate a system, it will start the attack with a brief scan. The scan is used to determine the locations of the files, which will be marked for encryption. Then, the Masok...

The Lotej Ransomware is among the latest data-locking Trojans emerged on the Internet. Once malware researchers spotted this brand-new threat, they dissected it and discovered that it belongs to the STOP Ransomware family. Propagation and Encryption Cybersecurity experts cannot yet determine the propagations methods that are employed in the spreading of this new file-encrypting Trojan. It is speculated largely that some of the most common methods of spreading ransomware threats may be at play in the case of the Lotej Ransomware too, namely fraudulent application updates, emails that contain corrupted attachments and pirated bogus copies of legitimate applications. When the Lotej Ransomware infects your PC, it will scan it. The scan is meant to locate all the files, which the Lotej Ransomware will later encrypt. Then, the encryption...

Malware researchers spot new data-locking Trojans on a daily basis. Some of them are more inventive and ambitious projects, while others are just variants of already existing ransomware threats. Today we are dealing with the latter type in the face of the Zatrov Ransomware. This file-encrypting Trojan belongs to the infamous STOP Ransomware family. Propagation and Encryption Researchers are yet to agree on what propagation method had been employed in the spreading of the Zatrov Ransomware. Some of them speculate that the authors of the Zatrov Ransomware have likely used the well-established methods such as spam emails that contain macro-laced attachments, fraudulent application updates, and pirated fake copies of legitimate software. If the Zatrov Ransomware manages to infiltrate your computer, it will scan it to discover the locations...

Many cybercriminals opt to create botnets as they can be used in many different ways. For example, a network of hijacked computers can be used to launch DDoS (Distributed-Denial-of-Service) attacks. Another purpose for them is for cryptocurrency mining where the operators of the botnet employ unsuspecting users' computers to mine cryptocurrency for them, which can be very profitable. With more and more devices becoming 'smart' and having the option to connect to the Internet, cyber crooks have found a new niche to attack. This gave the rise of the IoT (Internet-of-Things) botnets. One such example is the Gwmndy Botnet. Only 200 New Infected Devices Daily The operators of the Gwmndy Botnet have chosen to keep it on the down-low by only infecting about 200 IoT devices a day. This is likely done so that malware researchers have a harder...

High-profile hacking groups often develop new exploit kits, which are weaponized heavily and very threatening. However, there are some low-skilled ill-minded actors who also attempt to create exploit kits. Unlike the state of art malware that high-skilled hackers can build, these low-effort exploit kits are almost laughable. For example, some of these so-called exploit kits are just using public, proof-of-concept (PoC) exploits for popular plugins and software like Adobe Flash Player or Internet Explorer. The PoC exploit code is embedded in websites, and the only thing left to do is to lure users to visit the landing page laced with the Lord Exploit Kit. Attempts to Exploit Adobe Flash Player The threat actors may often rely on shady ad networks to publish what looks a legitimate advertisement. However, what neither the user nor the ad...

The Prandel Ransomware is among the newest ransomware threats that were spotted by cybersecurity researchers recently. Some cybercriminals that are more tech-savvy build their own data-locking Trojans while others rely on already existing threats. Such is the case of the Prandel Ransomware. This ransomware threat is a variant of the very popular STOP Ransomware. Propagation and Encryption Malware experts have been unable to tell the exact methods of propagation that the creators of this ransomware threat are using. It appears that the authors of the Prandel Ransomware may have used mass spam email campaigns, bogus software updates, and pirated fake copies of popular applications as infection vectors to spread their creation. Once the Prandel Ransomware manages to compromise a system, it will begin the attack by scanning the files...

The Amadey hacking tool is a botnet builder, which was developed by unknown ill-minded actors and is being sold on various hacking forums. It first appeared at the start of 2019. This threat also can be used as a first-stage payload that can introduce more malware to the host. Initially, the Amadey hacking tool costs $500 approximately. This threat gained some traction and appears to have sold well as malware researchers have spotted the Amadey tool being used in many different campaigns worldwide. Even the infamous TA505 hacking group got its hands on the Amadey threat. Operates Silently Amadey operators can access the administrator panel via their Web browser, and use it to command the infected systems. However, all of this is carried out very silently and out of the sight of the user. It is likely that the victims may not even...

The GermanWiper Ransomware is a new wiper malware that appears to be targeting users located in German mainly. This threat is harmful, particularly because it is masked as a data-locking Trojan and will attempt to extort its victims with the promise of recovering their data in exchange for a ransom fee. However, these are empty promises because the GermanWiper Ransomware is not a Trojan that will encrypt your data, but it is a wiper malware, which will destroy it with no hope of recovery permanently. Propagation It appears that the authors of the GermanWiper Ransomware are using spam emails as an infection vector in their campaigns. These fraudulent emails would contain a fake CV in the shape of a '. LNK' file. If the users attempt to open the supposed 'CV,' they will trigger the execution of the GermanWiper Ransomware. Destroys Your...

The Amvaldo banking Trojan is a hacking tool that has been pretty much used to target users based in Brazil exclusively. However, since June 2019 it would appear that its operators have decided to expand their reach and begin launching campaigns in Chile and Mexico as well. Propagation The authors of the Amvaldo Trojan stick to the tried and tested propagation method of spam email campaigns. The emails would contain an attachment normally, and the message would urge the user to open it because it is 'important.' In some of the campaigns, the creators of the Amvaldo disguised the attachment as a seemingly legitimate Microsoft Office Document, while in others there will be a '.MSI' file attached that poses as an update for an Adobe tool. Self-Preservation As a self-preservation technique, the Amvaldo banking Trojan's code is obfuscated...