Purple Fox

The Purple Fox Trojan downloader is a threat that has been on the radar of malware researchers since 2018. So far, experts believe that this Trojan has managed to claim over 30,000 victims worldwide. The creators of the Purple Fox Trojan have updated their threat and are now employing the RIG Exploit Kit to inject their creation into the targeted hosts. The payload of the Purple Fox Trojan downloader is no longer reliant on the NSIS installation tool, but instead, PowerShell commands. This way, the attackers have made sure to make the whole operation quieter and less likely to be spotted by researchers or anti-malware tools. The Purple Fox Trojan's operators tend to use it to plant crypto-mining threats on the compromised hosts mainly. However, this Trojan downloader can also be used for planting far more harmful threats. Exploits Used...

Posted on October 3, 2019 in Trojans

'X280@protonmail.com' Ransomware

The 'x280@protonmail.com' Ransomware is among the newest ransomware threats spotted by experts. In the past few years, there has been a growing interest in data-locking Trojans as they are simple to build (provided that one borrows readily available code from other ransomware threats) and easy to propagate. Propagation and Encryption Upon studying the 'x280@protonmail.com' Ransomware, researchers found that this file-encrypting Trojan belongs to the Estemani Ransomware family. It is likely that the authors of the 'x280@protonmail.com' Ransomware are taking advantage of macro-laced attachments to spread this Trojan via email. Some experts believe that the 'x280@protonmail.com' Ransomware also may be propagated via bogus pirated copies of popular applications and fraudulent software updates. The 'x280@protonmail.com' Ransomware will make...

Posted on October 3, 2019 in Ransomware

Noos Ransomware

It would seem that nowadays, every cyber crook is trying their luck with ransomware threats. Some build nasty file-locking Trojans from the ground up, but most prefer to save themselves the effort and simply borrow readily available code from already established ransomware threats. Propagation and Encryption One of the most recent data-encrypting Trojans is the NoosRansomware. Once the Noos Ransomware was dissected, it became clear that this is yet another variant of the notorious STOP Ransomware. It is likely that the most common ransomware propagation methods may be at play when it comes to Noos Ransomware's infection vectors – bogus application updates, fraudulent pirated variants of popular software and mass spam email campaigns. A brief scan will be performed as soon as the Noos Ransomware manages to compromise a system. The scan...

Posted on October 3, 2019 in Ransomware

xHunt

The xHunt hacking campaign was spotted several months ago, and malware researchers have made sure to keep a close eye on its activity. The xHunt campaign was first noticed by cybersecurity experts when the Hisoka backdoor Trojan was spotted on systems linked to a transportation company based in Kuwait. After studying the threat, researchers concluded that the Hisoka Trojan appears to be linked to several other malware families, namely Killua, Sakabota, Gon, Netero and EYE. It seems that all these tools are a part of the arsenal of the same group of cyber crooks. The infrastructure used by these cyber-criminals appears to be similar to how the infamous Iranian APT OilRig (also known as Helix Kitten) is carrying out its campaigns. This does not mean that the OilRig hacking group is behind the xHunt campaign necessarily, as there is not...

Posted on October 2, 2019 in Malware

Badday Ransomware

Nowadays, file-encrypting Trojans are one of the most prevalent threats online claiming new victims daily. They are often viewed as a way to make a quick buck and are not overly complicated to build, as long as the cyber crooks borrow most of the code from already existing ransomware threats. Propagation and Encryption One of the most recently detected data-locking Trojans is the Badday Ransomware. As its name suggests, you will likely have quite the bad day if you fall victim to this nasty Trojan. When malware researchers dissected the Badday Ransomware, they found out that it's a variant of the GlobeImposter 2.0 Ransomware. It is not disclosed what infection vectors are employed in the propagation of the Badday Ransomware. Some researchers believe that fake pirated variants of popular applications, alongside mass spam email...

Posted on October 2, 2019 in Ransomware

Angus Ransomware

Ransomware threats are claiming more and more victims on a daily basis. This malware type has become one of the most popular ways for cybercriminals to generate some cash. The fact that the cyber crooks can just borrow readily available code and only alter it slightly adds to the appeal of ransomware as it does not require one to be highly skilled in the field of tech to make some quick money. Propagation and Encryption Recently, cybersecurity researchers uncovered a new file-locking Trojan called the Angus Ransomware. Upon studying the Angus Ransomware, experts concluded that it is a variant of the ZeroPadypt Ransomware. Emails containing macro-laced attachments, bogus application updates, and fake pirated variants of popular applications may be among the infection vectors employed by the creators of the Angus Ransomware. If the Angus...

Posted on October 2, 2019 in Ransomware

GhostCat

The GhostCat malware is a particularly cunning threat as it operates without leaving any traces of its hazardous activity. Instead of infiltrating the device itself, the GhostCat threat works within the Web browser of the victim. The authors of the GhostCat malware have made sure that unless all the criteria set for the attack are met, the threat will not launch the attack. The GhostCat malware will check if the user is browsing any of the over one hundred websites, which are compatible with the threat. Propagated Via Advertisements The GhostCat malware is propagated via various advertising networks. However, these ad networks are spreading the GhostCat threat unknowingly because the authors of this malware have made sure that the code of their creation is so heavily obfuscated that it will manage to bypass the security measures set up...

Posted on October 2, 2019 in Malware

WhiteShadow

The WhiteShadow threat appears to be what is often referred to as malware-as-a-service because instead of using it privately, its creators have decided to rent it out to potential clients. The WhiteShadow, in its essence, is a Trojan downloader, and most of its activity in 2019 involved delivering the infamous Crimson RAT to targeted systems. However, the WhiteShadow is capable of delivering a wide range of other malware to infected hosts , which includes Remcos, Agent Tesla, Formbook, njRAT and others. Propagation Via Microsoft Office Attachments The operators of the WhiteShadow downloader appear to be using spam email campaigns mainly to propagate this threat. Microsoft Office attachments containing corrupted macro-scripts seem to be the main infection vector employed in the spreading of the WhiteShadow malware. To get the user to...

Posted on October 1, 2019 in Trojans

Gucci Botnet

The Gucci botnet is a recently uncovered botnet, which targets IoT (Internet-of-Things) devices mainly. Cybercriminals have a growing interest in compromising IoT devices as more and more of our gadgets become ‘smart’ and connect to the Internet. However, this is not the sole reason there is a boom in targeting IoT machines. More often than not, IoT devices are very vulnerable to infiltration as their producers do not appear to put too much effort into securing them against cyber attacks. Compatible with Some Laptops and Desktop Computers It is important to note that the Gucci botnet does not go after IoT devices only. After studying the threat, experts discovered that the authors of the Gucci malware had employed binaries, which also are compatible with x86 architecture that is typical for desktop computers and laptops. The server,...

Posted on October 1, 2019 in Botnets

Arcane Stealer

The Arcane Stealer V is an info stealer that has been traced back to what appears to be a group of cyber crooks originating from Russia. This became clear as cybersecurity experts uncovered Twitter, Discord, and Telegram profiles of an individual linked to the creation of the Arcane Stealer V. In all the profile bios the person in question had stated that he/she is a Russian citizen. Costs Only $9 The authors of the Arcane Stealer V have opted to sell it as a service online to other shady individuals with questionable morals. Despite the Arcane Stealer V not being the highest-end info stealer on the market, it has some redeeming qualities such as its extremely low price. Just for the cost of $9, you can get full access to the Arcane Stealer V’s full features. These include collecting: Steam-related files. Cryptocurrency wallets....

Posted on October 1, 2019 in Stealers

FTCODE Ransomware

Another ransomware threat has reared its ugly head recently. Its name is FTCODE Ransomware, and it does not appear to belong to any of the popular ransomware families. It is not known if free and publicly available decryption tools for the FTCODE Ransomware are available. Propagation and Encryption It has not been determined what the infection vectors, which are involved in the propagation of this threat are. Cybercriminals dealing with data-locking Trojans tend to use several classic propagation methods - emails containing macro-laced attachments, fraudulent application updates, and fake pirated versions of popular software. Often, ransomware threats tend to target a wide variety of files to guarantee that enough damage will be done and the user may consider paying up the ransom. Usually, files like images, documents, videos, audio...

Posted on October 1, 2019 in Ransomware

Nodersok

Many cyber crooks are taking an interest in hacking techniques called LOLBins (Living-Off-the-Land Binaries). This is becoming increasingly popular because it allows cybercriminals to bypass anti-malware tools as the threatening campaigns are carried out through legitimate applications and services, which helps the operators remain under the radar. Recently, malware researchers have spotted a new threat that employs the LOLBins techniques – Nodersok. The authors of this threat have gone a step further and have made sure that these techniques are executed at every phase of the attack making the Nodersok a threat, which operates very silently. Turns Compromised Machines into Proxy Servers The creators of the Nodersok threat are using it to infect hosts and turn them into proxy servers by injecting them with a proxy script called Node.JS...

Posted on September 30, 2019 in Malware

Masad Stealer

The Masad Stealer is a hacking tool that also is sold as a service on various hacking forums. To get the interest of potential buyers, the authors of eh Masad Stealer offer a free lite version of the threat, which naturally has limited capabilities compared to the full version. The fully weaponized variant of the Masad Stealer is sold for $85. Operates on Telegram The operators of the Masad Stealer have opted to host their malware's campaign on the messaging application Telegram with bots serving as C&C (Command & Control) server. This application has been gaining popularity for a while now and has over 200,000,000 users worldwide. This is an interesting and cunning approach as trying to track the attackers on such a massive platform can prove to be nearly impossible. It can Collect Cryptocurrency Wallets and Operate as a Clipper The...

Posted on September 30, 2019 in Stealers

'Patern32@protonmail.com' Ransomware

The public tends to see malware creators as highly-skilled individuals with dark powers, almost like modern-day black magicians. While there are some that fit this description certainly, most individuals who operate malware threats are nothing like this. More often than not, cyber crooks borrow code from one another and alter it ever so slightly to fit their preferences and needs. This is the case with today's ransomware threat – the 'Patern32@protonmail.com' Ransomware. Propagation and Encryption Once researchers spotted the 'Patern32@protonmail.com' Ransomware and looked into it, it became evident that this threat is a variant of the Omerta Ransomware. The propagation methods applied in the spreading of the 'Patern32@protonmail.com' Ransomware may vary – from mass spam email campaigns with messages that contain macro-laced...

Posted on September 30, 2019 in Ransomware

Boot Ransomware

Most cybercriminals tend to use already available code to build new threats as writing a whole piece of malware from scratch is certainly not an easy task that anyone can do. Many authors of ransomware tend to borrow the code of already established data-locking Trojans and change it slightly to fit their purposes. Propagation and Encryption One of the most recently uncovered ransomware threats is the Boot Ransomware, which belongs to the notorious STOP Ransomware family, which has been very active all throughout 2019. Malware experts do not know what infection vectors are involved in the propagation of the Boot Ransomware. It is highly likely that the authors of this file-encrypting Trojan are applying the most common propagation methods like bogus application updates and spam emails containing infected attachments. The first step of...

Posted on September 30, 2019 in Ransomware