1 Million Google Accounts Breached by Gooligan Malware

Gooligan has compromised and stolen login tokens from over one million Android devices, the malware was first seen in 2014, and initially, it didn’t include the ability to steal Google login tokens.

Since it first appeared, the malware has been detected by different security firms under different names such as Ghost Push, MonkeyTest, and Xinyinhe. In Google reports, you’ll find it referenced as Ghost Push. This malware uses malicious apps hosted third-party app stores to infect users. Once Gooligan has a foothold on an infected device, it contacts an online command and control (C&C) server and downloads a rootkit package that gains boot persistence and also includes four or five Android exploits that root the device.
Gooligan
Anyone running an older version of the Android operating system, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) is most at risk, which represents nearly 74% of Android devices in use today. After getting root privileges, Gooligan installs apps from the Google App Store as part of affiliate pay-per-install schemes, gives fraudulent ratings to apps on the Google App Store, and installs adware that clicks on ads for the malware author’s profit.
This is what Gooligan does :

1.Steal a user’s Google email account and authentication token information
2.Install apps from Google Play and rate them to raise their reputation
3.Install adware to generate revenue

Appendix A: List of fake apps infected by Gooligan

Perfect Cleaner
Demo
WiFi Enhancer
Snake
gla.pev.zvh
Html5 Games
Demm
memory booster
แข่งรถสุดโหด
StopWatch
Clear
ballSmove_004
Flashlight Free
memory booste
Touch Beauty
Demoad
Small Blue Point
Battery Monitor
清理大师
UC Mini
Shadow Crush
Sex Photo
小白点
tub.ajy.ics
Hip Good
Memory Booster
phone booster
SettingService
Wifi Master
Fruit Slots
System Booster
Dircet Browser
FUNNY DROPS
Puzzle Bubble-Pet Paradise
GPS
Light Browser
Clean Master
YouTube Downloader
KXService
Best Wallpapers
Smart Touch
Light Advanced
SmartFolder
youtubeplayer
Beautiful Alarm
PronClub
Detecting instrument
Calculator
GPS Speed
Fast Cleaner
Blue Point
CakeSweety
Pedometer
Compass Lite
Fingerprint unlock
PornClub
com.browser.provider
Assistive Touch
Sex Cademy
OneKeyLock
Wifi Speed Pro
Minibooster
com.so.itouch
com.fabullacop.loudcallernameringtone
Kiss Browser
Weather
Chrono Marker
Slots Mania
Multifunction Flashlight
So Hot
Google
HotH5Games
Swamm Browser
Billiards
TcashDemo
Sexy hot wallpaper
Wifi Accelerate
Simple Calculator
Daily Racing
Talking Tom 3
com.example.ddeo
Test
Hot Photo
QPlay
Virtual
Music Cloud

Right now the only way to get rid of this Malware is to re-flash your device.

Cerber Ransomware 5.0 is Out

With the release of yet another version of the notorious Cerber ransomware, malware authors have proven that so far they cannot be stopped. The version of the malware (5.0.1) is detected in parallel with Locky’s latest update using the .zzzzz file extension, suggesting competition between the two ransomware makers. Ransomware attacks have continued to increase and users who have had their files encrypted by such viruses are requested to pay a hefty ransom fee in order to get their files back. Anyone who has been infected by the ransomware should not pay the ransom amount.

Cerber ransomware may use .hta, .html or .htm files with which it can cause an infection via a spam message sent out to the users, infections are also being caused via malicious web links uploaded online and sent out as a message on either social media or other places that favor third-party web links. Once installed, Cerber 5.0 will encrypt the victim’s data and then demand a ransom payment in bitcoins to decrypt the files.

– The .secret extension is added to the list of files types targeted for encryption.
– The ransomware will now skip 640 bytes, compared to 512 bytes in previous versions, when encrypting a file.
– The minimum file size that Cerber will encrypt a file is now 2,560 bytes, compared to 1,024 bytes in previous versions. This means that any file that is smaller than 2,560 bytes will not be encrypted.

In addition, there were some changes in the IP ranges that used to send statistical UDP packets. The ranges are: 63.55.11.0/27, 15.93.12.0/27, and 194.165.16.0/22.
CERBER-RANSOMWARE

Like always, we close this blog with suggestion that users of any computing devices should be careful before downloading any software and decline any free software. Also keep a good anti virus program such as Max Total Security and have peace of mind with advance detection and daily data backup (just in case some ransomware makes it to your files!).

Kangaroo ransomware

The Kangaroo ransomware is the latest ransomware from the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda.

Also, due to the ransomware terminating the Explorer processes when started and preventing the launching of Task Manager, it essentially locks a user out of Windows until they pay the ransom or remove the infection. Though the screenlocker can be disabled in Safe Mode or by pressing the ALT+F4 keyboard combination, for many casual computer users this would essentially prevent them from using their computer.

Following successful infiltration, Kangaroo encrypts files and appends their names with the “.crypted_file” extension (for example, “sample.jpg” becomes “sample.jpg.crypted_file”). Once files are encrypted, Kangaroo opens a pop-up message and creates identical text files beside each encrypted file. The text file names are associated with the encrypted files (for example, “sample.jpg.crypted_file.Instructions_Data_Recovery.txt”). The pop-up message and text files contain an identical ransom-demand message.

Unlike most other ransomware infections, this family is not spread through exploit kits, cracks, compromised sites, or Trojans, but instead by the developer manually hacking into computers using Remote Desktop. When the dev hacks into a computer and executes the ransomware, a screen will be shown that contains the victim’s unique ID and their encryption key.kangaroo

When the developer clicks on Copy and Continue, the information will be copied into the Windows clipboard so that developer can save it. The ransomware will then begin to encrypt the computer’s files and will append the .crypted_file extension to an encrypted file’s name. This ransomware also performs the strange practice of creating an individual ransom note for every file that is encrypted. These ransom notes will be in the format of filename.Instructions_Data_Recovery.txt. For example, test.jpg.Instructions_Data_Recovery.txt.

When finished Kangaroo will display a lock screen that displays a fake screen implying that there is a critical problem with the computer and that the data was encrypted. It then provides instructions on how to contact the developer at kangarooencryption@mail.ru to restore the data.kangaroo1
This ransomware will also configure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “LegalNoticeText” registry value so that it shows a legal notice that a user must read before they are shown the Windows login prompt. This guarantees that a victim, or a computer’s administrator, will see the ransom note the next time they login.
kangaroo2

At this time, there is no way to decrypt the encrypted files, as I have always cautioned the readers to keep a good Anti-Virus Total security program such Max Total Security to prevent and recover data once attacked by Malware.

Android.MulDrop.924 malware has more than one million installs on Google Play Store

More than a million users have downloaded a particularly sneaky Android trojan that’s available on the official Google Play Store. Android.MulDrop.924 is an application that allows to use several user accounts in games and other applications. However, its main function is to covertly download and display advertisements.
Part of the Trojan’s functionality is implemented by means of the modules kxqpplatform.jar and main.jar. They are encrypted and embedded into the PNG image icon.png that is located in a resource catalog. Once launched, the Trojan retrieves these components into its local directory in the /data section and loads them to the memory.

The module main.jar contains several advertising plug-ins designed to generate income. One of them is the Trojan Android.DownLoader.451.origin that covertly downloads applications and invites a user to install them. The module is also responsible for advertising.

In another version of Android.MulDrop.924, the module main.jar contains one more malicious plug-in that is detected as Android.Triada.99. It downloads exploits and uses them to get root privileges. In addition, this module can download and install various software programs.
If your device is infected and locked then activate Safe mode, install and scan with Max Total Security for Android to get rid of this and many other Malware prevailing Android devices..

Karma ransomware

Karma Ransomware, which pretends to be a Windows optimization program called fakeWindows-TuneUp. What is worse is that this sample was discovered as software that would potentially be distributed by a pay-per-install software monetization company when people install free software downloaded from the Internet.
It turns out that this malicious file-encrypting software was distributed (used to, because currently, this ransomware is no longer active because its Command&Control servers were taken down already) along other freeware and presented as recommended additional software that can help the user speed up a slow computer and fix other perfomance-related issues. This malicious program even used to have an official website; however, it is no longer active. Clearly, scammers had put great efforts into making people believe that Windows-TuneUp is a legitimate tool; however, it didn’t take long to realize that in reality it is a Trojan that disseminates Karma ransomware.
When the victim downloads and installs this program, it automatically launches and pretends to be checking the system for errors and problems that need to be fixed. While the victim explores the panel of this fake optimization tool, the virus actually scans system folders and encrypts target files with a sophisticated cipher. The real intention of this PC optimization software emerges when it triggers a ransom note.

windows-tuneup

Files associated with the Karma Ransomware
Windows-TuneUp.exe

Registry entries associated with the Karma Ransomware

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer “auth”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Saffron”= “%Desktop%\\# DECRYPT MY FILES #.html”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Safron”= “%Desktop%\\# DECRYPT MY FILES #.txt”

IOCs:
SHA256: 6545ae2b8811884ad257a7fb25b1eb0cb63cfc66a742fa76fd44bddd05b74fe8
SHA256: cf5fda29f8e1f135aa68620ce7298e930be2cb93888e3f04c9cd0b13f5bc4092

Network Communication:
karma2xgg6ccmupd.onion
windows-tuneup.com/web293/xUser.php

Finally, users of any computing devices should be careful before downloading any software and decline any free software. Also keep a good anti virus program such as Max Total Security and have peace of mind with advance detection and daily data backup (just in case some ransomware makes it to your files!).

iRansom Ransomware

iRansom encrypts files and appends the “.Locked” extension to the name of each encrypted file. For example, “sample.jpg” is renamed to “sample.jpg.Locked”. Following successful encryption, iRansom opens a pop-up window containing a ransom-demand message. iRansom Ransomware threatens your personal files, and, if you do not stop this infection in time, all of your documents, media files, photos, archives, and other valuable files could be encrypted. The threat uses the AES (Advanced Encryption Standard) encryption algorithm to lock up your files, and it can do that silently. It is most likely that you will not notice that your files were encrypted at all, until the ransom note pops up on the screen. If this screen has already popped up, there is nothing you can do to stop the encryption process because it is already complete.

To manually delete iRansom Ransomware

  • Launch Task Manager by tapping keys Ctrl+Shift+Esc (or tap Ctrl+Alt+Delete and select Task Manager).
  • Click the Processes tab and select the malicious process (it could be named iRansom.exe).
  • Click the End Task/End Process button below and exit the utility.
  • Right-click the malicious .exe file (file name and location are unknown) and select Delete.
  • Launch RUN by tapping Win+R keys and enter regedit.exe into the dialog box.
  • In Registry Editor move to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  • Right-click the malicious value (it could be named iRansom) and select Delete.
  • Install a good Anti Virus solution such as Max Total Security and scan your operating system to make sure your PC is now clean.

Keep spam emails away and scan with a good anti virus everyday. Back up your data daily and never pay ransom if stuck with the malware.

ISHTAR Ransomware

ISHTAR Ransomware is another variant of Cryptovirus ransomware. This name has been kept from the very infamous Israeli singer’s name or from the Mesopotamia goddess of war, sex, power, fertility and love. This ransomware encrypts user’s files and append a extension “ISHTAR” before the name of the encrypted files and demands a ransom payment to restore access to the compromised data.

The interesting thing with this particular type of ransomware is that it doesn’t change the file name extension. It merely adds a preffix to the file name with the “Ishtar” name. The ransomware note is written in both languages and is named “README-ISHTAR.txt”. Ishtar Ransomware can be distributed via various means – email spam campaigns, malicious ads, browser hijacker redirects and software bundles downloaded from untrusted sources. It also deletes the shadow volume copies from the Windows OS with using following command :

“vssadmin.exe delete shadows /all /Quiet”We highly recommend that you follow good security practices to stay protected from this and other threats.

Ransomware like ISHTAR greets the victims to buy and send 1 Bitcoin to their wallet address. Security researchers highly advised to the users to do not fall in the trap of ransomware hackers and do not pay the ransom money because they will not going to provide any decryption tool after the payment. So the better option is to remove it from your system and run a backup on your system to retrieve your data. you can delete ISHTAR Ransomware using a strong antivirus program such Max Total Security which not only provides continuous protection from latest malware but also gives you daily file back up so that you can easily revert your data.

Android banking malware masquerades as Flash Player

The malware masquerades as a Flash Player app that, once installed, appears in a phone launcher, If a phone owner launches the app they see a fake Google Play screen asking for permissions that grant the malware administrator rights.

androidflash1

androidflash2
Then, when a banking app is opened, the malware creates a fake overlay, tricking victims into entering their login credentials. Among the bank apps being targeted are those of NAB, ING Direct and Citi, as well as PayPal. In addition, the malware is also taking aim at social media apps. When users launch Facebook, Whatsapp, Snapchat, Twitter, Instagram and more, they are faced with a screen overlay asking for payment card details.

Meanwhile, due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. Users can disable the device administrator rights through their phone settings and then uninstall the fake Flash Player.

Locky Ransomware switches to THOR Extension

A new variant of the infamous Locky ransomware is released, more than 14 million virus-laden emails have gone out so far. These spam messages come with a booby-trapped .zip file attachment that poses as an invoice or letter of complaint to a targeted organisation but actually contains malicious JavaScript. This new variant is currently being distributed through a variety of SPAM campaigns with VBS, JS, and other attachments. One SPAM campaign that I have seen has a subject line of Budget forecast and contains a ZIP attachment called budget_xls_[random_chars].zip.

Victims who open the attachment on a Windows PC end up with an infected machine and scrambled files. The latest attack has switched from appended the .SH*T extension to encrypted files to using the .THOR extension instead. When the Locky SPAM attachments are executed, they will download an encrypted DLL, decrypt it on the victim’s computer, and then execute it using Rundll32.exe to encrypt a victim’s files.

Once executed it will scan for targeted file types and encrypt them to a scrambled name with the .thor exension. For example, a file called accounting.xlsx could be renamed to 024BCD33-41D1-ACD3-3EEA-84083E322DFA.thor. The format for this naming scheme is first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].thor. Unfortunately it is not possible to decrypt the Locky Ransomware Thor Variant.

At this time the only way to recover encrypted files is via a backup. Do not forget to scehdule daily back up module using Max Total Security.

Smash! Ransomware blocks access to various windows processes and applications

A ransomware pretending to be very scary, has been reported by malware researchers Computer to be completely harmless and solely block access to various windows processes and applications. Anyone who has been infected by this virus should not be scared and not pay any ransom to the cyber-criminals behind Smash!, since this low-quality virus may either be a test virus, malware that is sometimes being released to see if the infection works successfully, or a low-quality malware by script-kiddies.

Ransomware and uses a cute image of the Super Mushroom from Super Mario Bros holding a knife. Thought it calls itself a ransomware and threatens to delete your files after a timer runs down, in reality this malware is more like a screenlocker and does not delete anything from the computer. Furthermore, many of the functions are not coded yet so this is either a poorly created program or a development version.

When executed, the Smash! will display a series of messages that attempt to welcome you to the program. These messages are displayed below.
Untitled-1

When you get to the last message and press OK, it will display a screen with a timer labeled File Kill Timer and then prompts you to enter a 7 digit code to close down the program.
Untitled-2

As of right now, you can type whatever you want into the code box and pressing the button won’t do anything. This is because the function that corresponds to clicking the button is currently empty . Furthermore, when the timer runs down it will change the screen to imply it is deleting files from the infected computer. In reality, it is not doing anything as the program does not currently have any ability to delete a victim’s files.

Ultimately, with its lack of dangerous functionality and by using characters from Super Mario Bros, Smash! Ransomware is cute rather than damaging. What does currently work is that it blocks certain programs from executing. For example, if you try to run Regedit, Task Manager, or a CMD prompt, it will attempt terminate the process and display a message box stating that the programs are blocked. As this malware does not configure an autostart, you can simply reboot your computer and the infection will no longer be running on login.