MilkyDoor Android Malware

A newly discovered Android malware called MilkyDoor turns mobile devices into “walking backdoors” that give attackers access to whatever network an infected user is connected to. Affected phones essentially act as proxy servers that link legitimate networks with malicious command-and-control servers via Socket Secure (SOCKS) protocol, allowing bad actors to exfiltrate data.

It uses remote port forwarding via Secure Shell (SSH) tunnels to hide malicious traffic and grant attackers access to firewall-protected networks. The malware was recently found in over 200 Android applications available through the Play Store. Google has removed them from their official app store.

In total, researchers estimate the apps had between 500,000 and 1 million installs only through the Play Store alone.
While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.

We found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.

MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. Its stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.

The repercussions are also significant. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers. The recent spate of compromises in MongoDB and ElasticSearch databases, where their owners were also extorted, are a case in point. The servers were public, which is exacerbated by the lack of authentication mechanisms in its internal databases.

End users and enterprises can benefit from mobile total security solution, Max Total Security available on Google Play.

SMSVova Spyware -Android

SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time, was downloaded between 1 and 5 million times before being pulled from Google’s official U.S. Play Store. On the Play Store, the app was titled “System Update,” suggesting that users who download it would receive the latest Android release.

The malware, called SMSVova, is capable of pinpointing a user’s exact geolocation and then sending that data to an attacker. However, upon installing and opening SMSVova, the app immediately quits, delivering the following message: “Unfortunately, Update Service has stopped.” The app then hides itself from the main screen.

At this point, the app enables a MyLocationService feature that tracks a user’s last known location. It also scans for SMS message commands, which the attacker sends in order to adjust malware settings and ultimately request a user’s device location. The attacker can even specifically ask to receive a location alert when the victim’s battery is running low.

smsvova

Despite the error message, the spyware sets up an Android service and broadcast receiver:

MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS messages

MyLocationService is to fetch the user’s last known location and set it up in Shared Preferences. Shared Preferences is one of the many ways Android stores an application’s data.
IncomingSMS is designed to look for incoming SMS messages with a particular syntax, in which the message should be more than 23 characters and should contain “vova-” in the SMS body. It also scans for a message containing “get faq.”

matrix9643@yahoo.com ransomware

Matrix virus, alternatively called as matrix9643@yahoo.com ransomware, functions as a crypto-Trojan. Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts. This malware appends “.matrix” or “.b10cked” extension to the name of every encrypted file. For instance, “sample.jpg” is renamed to “sample.jpg.matrix”. Following successful encryption, Matrix creates a text file “matrix-readme.rtf” (newer variants drop “Readme-Matrix.rtf” fileor “WhatHappenedWithMyFiles.rtf”) and places it in every folder containing ransom demanding message.

matrix-ransom-note

while performing the encryption, Matrix will hide a folder and then create a shortcut with the same name. It will then make a copy of the ransomware executable and save it as desktop.ini in the original:

matrix1
Clicking on any shortcut will launch the malware program.

Files associated with the Matrix Ransomware:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[random].hta
%UserProfile%\AppData\Roaming\[victim_id].pek
%UserProfile%\AppData\Roaming\[victim_id].sek
%UserProfile%\AppData\Roaming\errlog.txt
%UserProfile%\AppData\Roaming\[random].cmd
%UserProfile%\AppData\Roaming\[random].afn
%UserProfile%\AppData\Roaming\[random].ast
%UserProfile%\AppData\Roaming\[random].hta
matrix-readme.rtf
Bl0cked-ReadMe.rtf
WhatHappenedWithFiles.rtf

Network Communication:
stat3.s76.r53.com.ua/addrecord.php
stat3.s76.r53.com.ua/uploadextlist.php

With increase in everyday Ransomware activity, users are highly recommended to back up the files on daily basis to minimize loss of data and use a good anti virus program such Max Total Security which can take daily backup with highly configuration options for users.

Rijndael Ransomware-another encryptor

The Rijndael Ransomware may be contained in files named ‘BitcoinMiner.exe’ and ‘r4ns0mw4r3.exe’ and seems to be the work of a coder that goes by the online handle ‘humanpuff69.’ This coder has uploaded YouTube videos with information on how to create rogue security software and clones of CryptoWall. Like most ransomware Trojans, the Rijndael Ransomware is designed to block all access to the victim’s files by encrypting them using a strong encryption algorithm. The files affected by the Rijndael Ransomware will have the file extension ‘.fucked’ added to the extremity of each file’s name. The Rijndael Ransomware is capable of encrypting a wide variety of files.
To display its ransom note, the Rijndael Ransomware uses a program window that includes the message below:

‘Deathnote Hackers Was Here !
Your Computer files is encrypted
all files is encrypted with extremely
powerfull new RIDNDAEL encryption
that no one can break except you have
a private string and IVs
To Decrypt Your File You Should Pay Me
0.5 BTC (864.98 USD)
Contact Me : Riptours01@gmail.com
insert your code here:
[TEXT BOX] Decrypt!

Although it may be impossible to recover the data that is encrypted by Trojans like the Rijndael Ransomware, the Rijndael Ransomware’s decryption key is hard coded into its main executable file and have been able to recover it. Victims can enter the code ’83KYG9NW-3K39V-2T3HJ-93F3Q-GT’ into the text box included in the Rijndael Ransomware ransom message to restore their files. It is likely that the con artists will update the Rijndael Ransomware to remove this weakness, but for now, it is possible for computer users to recover their files from the attack.
Users can recover their encrypted file from Max Total Security Backup module.

Ramnit Trojan in new malvertising campaign

There has been an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users to the RIG exploit kit. It has mostly hit Canada and UK.

Ramnit spies on you and everything it finds it sends to the crooks behind it. We are talking IPs, usernames, passwords, accounts, email addresses, browser-related data, etc. Consider your private life no longer private. And last, but definitely not least, the Trojan may try stealing your money by making you purchase some fake anti-virus product or present you a fake update. Trust nothing. It is all a scam for profit. Don’t click on and definitely don’t by anything Ramnit suggests as you will only worsen your already pretty bad situation.

To manually find its infection ,do the following:
1. Run the Task Manager by right clicking on the Taskbar and choosing Start Task Manager.Run the Task Manager by right clicking on the Taskbar and choosing Start Task Manager. Look carefully at the file names and descriptions of the running processes. If you find any suspicious one, search on Google for its name. If you find a malware process, right-click on it and choose End task.

2.Open Control Panel by holding the Win Key and R together. Write appwiz.cpl in the field, then click OK. Here, find any program you had no intention to install and uninstall it.

3.Open MS Config by holding the Win Key and R together. Type msconfig and hit Enter. Go in the Startup tab and Uncheck entries that have “Unknown” as Manufacturer.

4. Scan with Max Total Security . If you still think your PC may be infected, contact Max Secure Software free 24×7 technical support.

AngryKite ransomware

Once infiltrated, AngryKite encrypts various data and renames compromised files using the “[random_characters].NumberDot” pattern. For example, “sample.jpg” might be renamed to “G4ag0-3tga.NumberDont”. Following successful encryption, AngryKite opens a pop-up window containing a fake error message.

The message states that a malware infection has been detected and that files are encrypted. To remove the malware, victims are encouraged to call a toll-free phone number (“1-855-545-6800″) provided. Victims are then supposedly guided through the malware removal process. In fact, this is a scam.

Text presented within AngryKite pop-up:

WARNING: SYSTEM MAY HAVE FOUND anonymous encryption on your computer. You would not be able to access the files on your computer. Your System May have Found (2) Malicious Viruses Rootkit.Encrypt & Trojan.Spyware Your Personal & Financial information MAY NOT BE SAFE Your system has encryption ransomware which may permanently encrypt your data Please call immediately to avoid further damage Toll free 1-855-545-6800.

Right now no methods are available to get rid of this malware other than restoring yur files from backup. It is recommended to keep an updated copy of Max Total Security which takes daily back up of files on your PC.

Chrysaor Malware on Android

Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS. Chrysaor is a highly sophisticated malware most likely used to carry out advanced espionage campaigns.

Chrysaor doesn’t exploit a vulnerability. Instead, Google believes attackers coax specifically targeted individuals to download the Chrysaor malware onto their device. “Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS,” wrote Google.

Upon installation, the app uses Framaroot rooting techniques to find security holes that allow the attackers to escalate privileges and break Android’s application sandbox, Google said. “If the targeted device is not vulnerable to these exploits, then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges,” according to Google.

Chrysaor is also very careful when it comes to being detected and is programmed to uninstall itself if there’s any chance it has been found, it will remove itself from the phone if the SIM MCC ID is invald, an ‘antidote’ file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself.
Chrysaor had a very low volume of installs outside of Google Play, fewer than 3 dozen installs of Chrysaor on victim devices. These devices were located in the following countries:
chrysaor

To ensure you are fully protected against Potentially Harmful Applications (PHAs) and other threats, we recommend these 5 basic steps:

1. Install apps only from reputable sources: Install apps from a reputable source, such as Google Play.
2. Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
3. Update your device: Keep your device up-to-date with the latest security patches.
4. Locate your device: Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA.
5. Keep a good Anti Virus or Android Total Security software installed on your device like Max Total Security .

Fluffy-TAR Ransomware

This malware is designed to encrypt files and append the “.lock75″ extension to associated filenames (for example, “sample.jpg” might be renamed to “sample.jpg.lock75″). After infiltrating the system (and then encrypting files), Fluffy-TAR displays a pop-up window and places the “fluffy.png” (image of an animation) file on the desktop.

fluffy

The pop-up window contains a ransom-demand message available in English and French. It is stated that files are encrypted and decryption requires a unique key. To receive this key, victims must pay a ransom of .039 Bitcoin (approximately, $45).

The Trojan may run as ‘Fluffy-TAR.exe’ and ‘Fluffy.exe’ from the Temp and AppData directories on infected machines. We should note that the executable can be configured to use random names that are unique for every compromised system. The ‘critical security warning’ window supports bilingual text and a five-day countdown timer.
English part of text presented within Fluffy-TAR first pop-up:
—————————————————————————-
ATTENTION REQUIRED – This is not an ad or a promotional content but a critical security warning about your system. Click “English” above for more details.
—————————————————————————
Depending on the selection made by the victim, the Fluffy-TAR Ransomware would load the appropriate version of the ransom request. The first slide within the ‘ATTENTION REQUIRED’ window offers the following message:
—————————————————————————–
‘What’s happening?
Oh no! Fluffy-TAR has encrypted some of your files! It means that they are not lost, but cannot be used until decrypted. They are “locked”, you could say. If you see a file which name ends with “lock75”, it means this file is encrypted. The process is easily reversible but requires a key.
What do I do?
To get your files back, you must buy the decryption key. This payment must be done in Bitcoins, a cryptographic currency. Bitcoin is becoming more and more accessible and nowadays, it is really easy to use Bitcoins.
See the online interface (button below) for a more detailed introduction to bitcoins. To get your files back, please send exactly (or more if you want) 0.039 Bitcoins to this address, BEFORE the countdown below ends:
[RANDOM CHARACTERS]
Uppercase/lowercase matter! Make sure you send to the right address! (you can scan the QR code to copy it)
After sending the payment, wait an hour then click the “retrieve key automatically” button below. The software will then receive the key and decrypt ALL encrypted files. Without the key, it is impossible to decrypt your files.
Without the proper payment, it is impossible to get the key. When the countdown reaches zero, you will lose all encrypted documents.
Please note: if you have an antivirus, disable it now if you don’t want to lose your data.’
—————————————————————————–

However, this might be just a usual lie. In fact, you should run the security tools and remove Fluffy TAR virus right away. Some less elaborate threats need the uninterrupted period of time to finish encrypting data. Likewise, if you suspect any signs, extremely slow system process, odd User Account Control messages, restart the device.

As far as encrypted files and data is concerned, you need to restore it from the back up from an external device or if you have a good Total Security software similar to Max Total security which take secure daily back up on your PC which malware can not infect.

HappyDayzz ransomware

Happydayzz is a ransomware-type which will effectively put an end to your happy days online. Once infiltrated, Happydayzz encrypts various files stored on the system. During this process, it renames encrypted files using the “[blackjockercrypter@gmail.com].[22_random_characters].happydayzz” pattern. For example, “sample.jpg” might be renamed to “[blackjokercrypter@gmail.com].GlM8-AiM04-Lq6mHG1i0L0.happydayzz”. Following successful encryption, Happydayzz creates an HTA file (“How To Recover Encrypted Files.hta”), placing it in each folder containing encrypted files.

The HTA file contains a message informing users of the encryption. To restore these files, victims are encouraged to pay a ransom. To submit payment, you are instructed to contact the creators of HappyDayzz either via Skype address of nsyaneksab.aked or blackjockercrypter@gmail.com. During this conversation, hackers will reveal the exact amount of bitcoins that they are requesting as the fee for decryption.

HappyDayzz virus is deployed and executed on the victim’s computers with the help of malicious spam email attachments. The hackers typically work under the names of popular banks, government institutions, companies or social media networks just to get more people get involved in their scam. Please keep in mind that though hackers use Happydayz@india.com and blackjockercrypter@gmail.com email addresses to contact their victims, they won’t use the same addresses when spreading spam mail around. So, you must be very careful and vigilant when navigating through your email and downloading attachments.

The only way to get rid of this ransomware is to restore your PC to a previously known configuration or format it.
Data loss can be prevented if you were using Max Total Security which takes file backups everyday.Make sure to copy the back up fies on an external device before you format your pc. You can also access 24×7 free technical support that comes by being a user of Max Total Security to help you in such situations.

Zorro Ransomware

Zorro virus is a new file-encrypting malware that uses symmetric cryptography. Once infiltrated, this malware encrypts files and appends the “.zorro” extension to the name of each compromised file. For example, “sample.jpg” is renamed to “sample.jpg.zorro”. Zorro then creates a text file [“Take_Seriously (Your saving grace).txt”], placing it on the desktop wallpaper.

The most likely reason to get infected with Zorro is email spam. The crooks behind the virus rely on sending out malicious emails. These letters are masked to look like they were sent from a legit company like Amazon, PayPal, BestBuy or a similar entity. The goal of Zorro is to take over your computer and lock its important files. The virus will target audio files, documents, project files, images, music, game saves, just about everything that has the potential to be valuable to the user. The files get locked by an encryption process.
zorro1

Best bet to recover your files is to restore from backup and keep an updated version of Max Total Security
on your PC.