Reco Ransomware

File-encryption Trojans continue to be the most important part of the toolkit of any cybercriminal – these destructive cyber-threats are the perfect extortion tool for anonymous cyber crooks, as they give them a very strong bargaining chip by holding the victim's files as hostages. Unfortunately, recovering from ransomware attacks is often an impossible task, and victims end up having to ask the attackers for help that never comes for free. The Reco Ransomware is one of the latest file-lockers to look out for, and a closer analysis of its behavior revealed that it is not an entirely new threat – it is based on the STOP Ransomware project, and uses an identical file-encryption routine to damage the files of its victims. The distribution techniques that the authors of the Reco Ransomware use to spread their threatening program may vary –...

Posted on October 9, 2019 in Ransomware

APT35

The APT35 (Advanced Persistent Threat) is a hacking group that is believed to originate from Iran. This hacking group is also known under several other aliases – Newscaster Team, Phosphorus, Charming Kitten and Ajax Security Team. The APT35 hacking group is usually involved both in politically motivated campaigns, as well as financially motivated ones. The APT35 hacking group tends to concentrate their efforts against actors involved in human rights activism, various media organizations, and the academic sector mainly. Most of the campaigns are carried out in the United States, Israel, Iran and the United Kingdom. Popular APT35 Campaigns One of the most notorious APT35 operations is the one carried out against HBO that took place in 2017. In it, the APT35 leaked over 1TB of data, which consisted of staff personal details and shows,...

Posted on October 8, 2019 in Malware

APT28

The APT28 (Advanced Persistent Threat) is a hacking group that originates from Russia. Their activity dates as far back as the mid-2000s. Malware researchers believe that the APT28 group’s campaigns are funded by the Kremlin, as they usually target foreign political actors. The APT28 hacking group is best known as Fancy Bear, but it also is recognized under various other aliases – Sofacy Group, STRONTIUM, Sednit, Pawn Storm and Tsar Team. The Infamous Hacking Campaigns Carried Out by Fancy Bear Experts believe that the Fancy Bear had a hand in the 2016 Democratic National Committee hack, which some believe had some influence on the outcome of the Presidential Elections taking place the same year. During the same year, the Fancy Bear group also targeted the World Anti-Doping Agency because of the scandal involving Russian athletes. The...

Posted on October 8, 2019 in Malware

Potao Express

Potao Express is a hacking group that is known for two tools, which they have developed – FakeTC and Potato. This hacking group has been active since 2011, but malware researchers have been observing their activities closely since 2017. FakeTC The FakeTC malware is a fraudulent copy of the legitimate tool called ‘TrueCrypt.’ The authors of the FakeTC malware are propagating it using a Russian website. The attackers only pick certain users who they target, and only these targets would receive the FakeTC malware while all the other users will get TrueCrypt, the genuine application. This way, the creators of the FakeTC malware are more likely to remain under the radar of security experts. The FakeTC threat provides the attackers with information about the victims. The authors of the FakeTC malware are also able to execute other tasks on...

Posted on October 8, 2019 in Malware

Energetic Bear

The Energetic Bear is a hacking group that is considered to be an APT (Advanced Persistent Threat). This hacking group also is known under two other aliases – Crouching Yeti and Dragonfly. Energetic Bear tends to target high-ranking personnel in the industrial sector, as well as the energy sector. The Energetic Bear group usually changes its region of preference over time. In general, most of their targets are concentrated in the U.S. and Europe, but in 2016 and 2017, most of their efforts were concentrated in Turkey. Most Targets Operate within the Industrial and Energy Sectors Energetic Bear tends to use a wide variety of offensive techniques along with highly creative methods of delivering their malware to the intended targets. It is common for Energetic Bear to compromise a server and turn it into a corrupted host, which would...

Posted on October 8, 2019 in Malware

Kuub Ransomware

All shady individuals are attempting to hop on the ‘ransomware’ train because file-locking Trojans are seen as a quick and easy way to generate some revenue on the back of unsuspecting online users. Most ransomware threats operate in a similar manner – the user systems get infected with the Trojan, which performs a scan immediately, which locates the files of interest, then the encryption process locks the targeted data, and finally, the threat drops a ransom note. Propagation and Encryption The Kuub Ransomware is one of the most recently uncovered data-encrypting Trojans, and it does not stray from the path explained previously. The Kuub Ransomware belongs to the wildly popular STOP Ransomware family. It is not clear what are the infection vectors that the attackers have employed in the propagation of the Kuub Ransomware. Some experts...

Posted on October 8, 2019 in Ransomware

'Winlogui.exe' Miner

Several users worldwide have reported an unknown process running on their systems. The process in question is ‘Winlogui.exe.’ The creators of ‘Winlogui.exe’ have made sure to add the ‘Win’ part to the name, which would usually indicate a legitimate Windows related process and will not raise any suspicions. However, that is not the case at all. The ‘Winlogui.exe’ process indicates the presence of a cryptocurrency miner. Cryptocurrency miners tend to affect their host negatively as they use huge amounts of CPU and thus cause the whole system to slow down and underperform. Users who have cryptocurrency miners planted on their systems are likely to have their browsing quality greatly affected. Evil-minded actors plant cryptocurrency miners on their targets’ systems to generate cash for themselves while also using a significant amount of...

Posted on October 7, 2019 in Trojans

Lemon_Duck

Malware researchers continue to detect an increasing number of threatening campaigns employing various cryptojacking malware. Among the latest finds is the Lemon_Duck threat. It appears that most of the campaigns involving this cryptojacking malware are concentrated in Asia initially. However, since, the Lemon_Duck malware has spread globally and is claiming more and more victims daily. The authors of the Lemon_Duck threat seem to target corporations mainly as this is usually more profitable than going after regular users. The creators of the Lemon_Duck threat aim to compromise as many systems as possible, plant a cryptocurrency miner, and use the processing power of the infected host to mine cryptocurrency. Of course, all the cash is transferred to the attackers’ cryptocurrency wallets. Brute-Force Attacks Lemon_Duck targets...

Posted on October 7, 2019 in Malware

'ChaosCC Hacker Group' Email Scam

Some evil-minded actors online are very highly-skilled individuals with incredible capabilities of causing chaos. Others who are nowhere near as capable, however, often rely on social engineering techniques to make a quick buck. This is the case of the ‘ChaosCC Hacker Group’ email scam. The individuals responsible for this tactic are pretending to be a threatening hacking group called ‘ChaosCC Hacker Group.’ However, no such hacking group exists and it all a play-pretend to instill fear into users that they have become the victim of some group of ruthless and vicious individuals who now hold their fate in their hands. A ‘Sextortion’ Scheme The ‘ChaosCC Hacker Group’ tactic is carried out via fake spam emails. In the emails, the attackers claim to have recorded the user via their webcam when they were pleasuring themselves while...

Posted on October 7, 2019 in Adware

Zestradar.com

Most Web browsers nowadays have the ‘Website Notification’ feature. Many Web pages will ask you to allow them to send notifications, and some can be very useful. Such examples could be websites that would notify you when an item on your wish list gets a discount, pages that would supply you with the latest breaking news stories, or streaming platforms, which would let you know when your favorite creators are live. However, not all websites, which request the notification permission, are going to provide you with quality content. Some, like the Zestradar.com website, will instead take advantage of this permission and spam you with unwanted notifications constantly. Bombards Users with Notifications The Zestradar.com Web page appears to be a low-quality website, which contains blog-posts regarding various topics. Some of the topics that...

Posted on October 7, 2019 in Browser Hijackers

MasterMana Botnet

The MasterMana botnet activity was first spotted at the end of 2018. Since then, malware researchers have estimated that the systems, which have fallen victim to this threat are about 3,000. Having operated in such a long time, one may think that the MasterMana botnet would consist of a far greater number of compromised systems. However, this campaign is no joke as the attackers take advantage of high-end RATs (Remote Access Trojans), which allow them to almost fully take over the compromised system. Targeting Businesses The creators of the MasterMana botnet use spam emails that contain infected ‘.DLL’ files to deliver the threat to their targets. It would appear that the operators of the MasterMana botnet do not go after regular users but would rather target companies. They use a technique called phishing, which means that various...

Posted on October 4, 2019 in Botnets

'Jeanson J. Ancheta' Email Scam

Not all cybercriminals are as smart and as capable as we sometimes tend to perceive them. More often than not, they rely more on our naivety and ignorance to sink their claws into our wallets more than they rely on their technical skills. Such is the case with the ‘Jeanson J. Ancheta’ email scam. Uses the Name of an Infamous Hacker to Intimidate Users Upon investigating this operation, malware experts found that the shady individuals behind it appear to be a low-end hacking group. They have used the name of the notorious American hacker called Jeanson James Ancheta. He has served five years in prison for operating a botnet. The authors of the ‘Jeanson J. Ancheta’ tactic have likely used the infamous cyber crook’s name as a social engineering technique. They rely on the fact that the user will Google the name and may think that they...

Posted on October 4, 2019 in Adware

Galacti-Crypter Ransomware

Cybersecurity researchers are struggling to keep pace with all the new ransomware threats, which appear to be popping up every day. One of the most recent file-encrypting Trojans that has been spotted is the Galacti-Crypter Ransomware. Propagation and Encryption Experts have been unable to determine the infection vectors involved in the propagation of the Galacti-Crypter Ransomware. Some speculate that the attackers may be using mass spam email campaigns, bogus application updates, and fake pirated variants of popular software tools. As soon as the Galacti-Crypter Ransomware infiltrates a system, a scan will be performed. The scan is going to locate the files, which will be targeted for encryption. Usually, ransomware threats target a long list of file types, which are likely to be present on almost any regular PC, therefore ensuring...

Posted on October 4, 2019 in Ransomware

Seto Ransomware

One of the most widespread malware in 2019 is file-encrypting Trojans most certainly, or in other words, ransomware threats. Some ransomware threats are unique and built from scratch, while others tend to be based on the code of established data-encrypting Trojans. Naturally, the former takes much more time and effort so that most cyber crooks go for the latter. Propagation and Encryption Such is the case of the Seto Ransomware – one of the most recently spotted ransomware threats on the Web. When researchers studied this threat, they found out that it is yet another variant of the infamous STOP Ransomware. The users reporting that they have become a victim of the Seto Ransomware are piling up. It appears that the creators of this threat have been very successful in propagating their creation. It is not known for sure what are the...

Posted on October 4, 2019 in Ransomware

Geost Botnet

The Geost botnet is a campaign mainly carried out on the territory of the Russian Federation as it targets five Russian banks. The Geost malware goes after Android devices, and so far, experts have estimated that the botnet consists of over 800,000 infected machines. Propagated via Over 200 Fake Applications It appears that the creators of the Geost botnet are using bogus applications to propagate their malware. The software used to spread the Geost malware appears to be mostly fake social media and banking applications. These fraudulent applications are not hosted on the official Google Play Store, but they can be found on third-party Android application stores, which are popular in Russia. Cybersecurity researchers have determined that there are likely over 200 bogus applications that are carrying the Geost malware. Uses the HtBot...

Posted on October 3, 2019 in Botnets