COPAN Ransomware

Recently, a brand-new ransomware threat was spotted circulating the Web. It has been dubbed the COPAN Ransomware, and it appears to be a variant of the DCRTR-WDM Ransomware. It is not yet confirmed with any certainty which infection vector may be at play in spreading the COPAN Ransomware, but it is being speculated that the propagation methods employed by the cyber crooks responsible for this threat may be spam email campaigns, infected pirated software and bogus application updates. The COPAN Ransomware will begin scanning the system, which it has infiltrated. The scan will determine the locations of the files, which will be targeted for encryption by the COPAN Ransomware. Then, the COPAN Ransomware will begin locking the data that was targeted. When a file is locked, its name will be changed. The COPAN Ransomware adds an extension at...

Posted on June 19, 2019 in Ransomware

LooCipher Ransomware

Malware researchers have uncovered a new data-locking Trojan recently. Its name is LooCipher Ransomware, which appears to be a humorous spinoff of one of the alternative names of Satan – Lucifer. It seems that the LooCipher Ransomware does not belong to any of the popular ransomware families. Cybersecurity experts have not been able to determine what the exact methods of propagation of the LooCipher Ransomware are, but it is highly likely that the infections vectors used for spreading this file-encrypting Trojan may be the usual suspects – spam email campaigns, faux software updates and corrupted pirated applications. If the LooCipher Ransomware manages to infiltrate a PC, it will scan it to determine the locations of the files, which it has been programmed to go after. Once this is completed, the LooCipher Ransomware will start...

Posted on June 19, 2019 in Ransomware

RMS RAT

One of the common methods that cyber crooks use for spreading malware is disguising it as legitimate software. Sometimes just the interface is copied while the code is different completely, but sometimes cybercriminals tweak the code of legitimate applications and modify it in ways that would make it useful for their harmful campaigns. The creators of the RMS RAT (Remote Access Trojan) have taken up the latter approach. The cybercriminals behind the RMS RAT have used a widely known Russian tool that provides remote access named 'Remote Manipulator System' as a basis for their creation. The legitimate variant of the 'Remote Manipulator System' tool requires the consent of both parties involved to establish a connection. However, the authors of the RMS RAT have modified the original tool, and they no longer need the permission or even...

Posted on June 18, 2019 in Remote Administration Tools

Orion Ransomware

Malware experts in the field of ransomware have spotted a new data-locking Trojan. It is called the Orion Ransomware. When cybersecurity researchers studied this threat, they concluded that it is a variant of the Major Ransomware. It is not yet known with any certainty what is the exact method of propagation used in the campaigns spreading the Orion Ransomware. It is, however, believed that the cybercriminals who created the Orion Ransomware might be spreading it via emails that contain corrupted attached files, bogus software updates and infected pirated applications. When the Orion Ransomware infects a system, it starts the attack by scanning it. The goal is to locate the files, which will then be encrypted. Once this is completed successfully, the encryption process is triggered into action. Once a file is locked by the Orion...

Posted on June 18, 2019 in Ransomware

VanillaRAT

The authors of the VanillaRAT have not released a ready-to-use threatening tool. Instead, they have opted to publish full source code that anyone can compile and use. They might have opted for this strategy with two things in mind: It would discourage unexperienced cybercrooks completely from trying their luck with this tool. It would allow experienced cybercrooks to analyze the code and see that there are not any unexpected backdoors that could harm their system. The project is written in C#, and the GitHub page where it is hosted contains extensive instructions on how to compile, configure and use the VanillaRAT. The VanillaRAT is a rather sneaky threat, it is capable of infiltrating a system and remaining under the radar of the victim by not inconveniencing the user in any obvious manner. The VanillaRAT also has a number of...

Posted on June 18, 2019 in Remote Administration Tools

Horon Ransomware

The Horon Ransomware is a recently spotted file-locking Trojan that has surfaced the Internet. When malware experts came across this new ransomware threat, they looked deeper into it and revealed that the Horon Ransomware belongs to the notorious STOP Ransomware family. It is yet to be determined with full certainty what propagation method has been employed in the spreading of the Horon Ransomware. However, cybersecurity researchers speculate that the infection vectors used in propagating the Horon Ransomware may include mass spam email campaigns, faux application updates and infected pirated software. Once the Horon Ransomware gains access to a host, it will perform a quick scan. This scan will determine where the files, which the Horon Ransomware is meant to target, are located. Then, the Horon Ransomware will proceed the attack by...

Posted on June 18, 2019 in Ransomware

WSH RAT

Recently, a new RAT (Remote Access Trojan) emerged on a couple of underground hacking forums. It goes by the name WSH RAT and is being marketed as a hacking tool with several different capabilities, including infecting the host with additional malware, as well as collecting sensitive data like usernames and passwords. Closer examination of the WSH RAT's source code revealed that it uses identical function names and methods as H-Worm (Houdini Worm) which, is a piece of malware that gained traction back in 2013. The authors of the WSH RAT know how to make an offer, which is difficult to resist, at least for other cyber crooks. They rent out the full version of the WSH RAT for just $25 a month. This would allow their clients to employ the WSH RAT in as many campaigns as they wish for the duration of the month they have pre-paid for. There...

Posted on June 17, 2019 in Remote Administration Tools

All-in-One Ransomware Removal Tool

Ransomware threats have been gaining increasing popularity among cyber crooks. They are seen as a way to make a quick buck on the backs of innocent users. However, not only are there new file-locking Trojans being spewed on a daily basis, but there are ill-minded actors who seek to cause further harm to people who have already fallen victim to ransomware threats. They do this by promoting bogus decryption tools. Recently, malware experts came across such a case on Reddit. A user was promoting an ‘All-in-One Ransomware Removal Tool’ as a legitimate way to recover the data that has been affected by a ransomware threat. The creators of the All-in-One Ransomware Removal Tool go by the name ‘mEGAlYthIc pRoDuCtIoNS.’ First of all, the fact that this supposed ‘decryption tool’ claims to be able to decrypt files locked by ‘all’ ransomware...

Posted on June 17, 2019 in Potentially Unwanted Programs

0day Ransomware

Malware researchers have spotted a new data-locking Trojan emerging. This ransomware threat is called the 0day Ransomware. When dissected, the 0day Ransomware revealed that it belongs to the widely popular Dharma Ransomware family. It is not clear how exactly the 0day Ransomware is being spread, but cybersecurity experts believe that the infection vectors employed in propagating the 0day Ransomware may include mass spam email campaigns, infected pirated software, as well as faux application updates. When the 0day Ransomware manages to infect a system, it will trigger a scan. The idea behind the scan is to locate the files, which the 0day Ransomware was programmed to go after. When this step is completed, the 0day Ransomware will continue the attack by encrypting the data targeted. When the 0day Ransomware locks a file, it changes its...

Posted on June 17, 2019 in Ransomware

HACK Ransomware

A new ransomware threat has surfaced the Internet – the HACK Ransomware. When malware experts came across the HACK Ransomware, they decided to look into it and discovered that this data-encrypting Trojan is a variant of the infamous Dharma Ransomware. Cybersecurity researchers are yet to know with certainty what is the infection vector used in propagating the HACK Ransomware. However, some speculate that the authors of the HACK Ransomware are spreading their threat via spam emails containing infected attachments, bogus software updates and corrupted pirated applications. Once the HACK Ransomware infiltrates a machine successfully, it begins the attack by scanning it. The purpose of this is to locate the files, which will later be encrypted. When this is through, the encryption process begins. After encrypting a file, the HACK...

Posted on June 17, 2019 in Ransomware

HAWKBALL

HAWKBALL is a backdoor Trojan. HAWKBALL's main purpose is to obtain information about the infected device and then deliver a secondary payload. PC security software has mostly responded to HAWKBALL and has been updated to detect and remove HAWKBALL. This is what makes having the latest security updates for all security software an essential part of stopping threats like HAWKBALL. However, HAWKBALL is part of an ongoing malware campaign, and it is very likely that it will continue to be updated and new targets selected for HAWKBALL attacks. Why HAWKBALL is Threatening HAWKBALL is being distributed through spear-phishing email campaigns, targeting specific victims. HAWKBALL attacks are targeting Russian government entities located in Central Asia currently, and it is very likely that the individuals deploying HAWKBALL attacks are...

Posted on June 14, 2019 in Trojans

Echobot

Echobot is one of the many botnets that were based on the Mirai botnet, a botnet that was quite active in 2016 and spawned numerous copycats after the arrest of its creators. Mirai, at some point, managed to infect more than two million devices. The creators of Mirai released the code for this botnet. Echobot is just one of the many botnets based on Mirai after its code became public. How Echobot Carries Outs Its Attack Echobot is nearly identical to the Mirai malware. As part of the Mirai Botnet attack, Linux will be installed on the infected device, as well as various applications such as a Web proxy and software used to carry out DDoS attacks. While Mirai was mostly limited to the so-called Internet-of-Things, or devices that are not personal computers, Echobot carries out attacks on a wider variety of targets and has software...

Posted on June 14, 2019 in Botnets

Poop Ransomware

The Poop Ransomware is an encryption ransomware Trojan. The Poop Ransomware uses a strong encryption algorithm to make the victim's files inaccessible, essentially taking them hostage. The Poop Ransomware then demands a ransom payment in exchange for restoring the data it has captured. How the Poop Ransomware Attacks a Computer The Poop Ransomware can be delivered in many ways, including corrupted spam email attachments or direct attacks on a device. Once the Poop Ransomware is installed, the Poop Ransomware runs a scan of the victim's computer, searching for the user-generated files. The Poop Ransomware uses the AES encryption to encrypt any file it finds, adding the file extension '.poop' to each file compromised by the attack. The Poop Ransomware targets the files below in this attack: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp,...

Posted on June 14, 2019 in Ransomware

Vesad Ransomware

The Vesad Ransomware is an encryption ransomware Trojan. The Vesad Ransomware was first released in June 2019. The Vesad Ransomware is one of the many variants in the STOP family of encryption ransomware. How the Vesad Ransomware Carries Out Its Attack The Vesad Ransomware carries out a typical encryption ransomware attack, using a strong encryption algorithm to make the victim's files inaccessible and then demanding a ransom payment from the victim. Initially, the Vesad Ransomware scans the victim's computer in search of the user-generated files, which may include files with the following file extensions: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd,...

Posted on June 14, 2019 in Ransomware

ShellTea

PoS (Point-of-Sale) malware is a rather direct method of stealing cash and is preferred by some cybercriminals and hacking groups. This threat works by infiltrating a PoS machine and collecting the sensitive information of the credit cards it services. Often, the cyber crooks target the hotel industry. High-end hotels are the most sought-after victims as they are likely to deal with rich clients with fat bank accounts. FIN8 is a hacking group, which is known for having an appetite for this cybercrime. The last campaign of the FIN8 group was spotted back in 2017. They employed the PunchBuggy and ShellTea backdoors in an attack targeting the hospitality sector. It was speculated that the FIN8 hacking group might have dissolved because they had been inactive since 2017. However, it turned out that the FIN8 group is alive and well. This...

Posted on June 13, 2019 in Trojans