BadBlock ransomware

BadBlock is a ransomware-type virus that, after system infiltration, encrypts various files stored in victims’ computers. Unlike other ransomware, BadBlock does not add any extension to encrypted files. After encryption, BadBlock opens a window with a message providing details about the encryption. This ransomware also creates a Help_Decrypt.html file (which contains an identical message), placing it in each folder containing the encrypted files.

Unlike other ransomware like Locky, TeslaCrypt, KimcilWare, PETYA, Mischa and CryptXXX, BadBlock does not append a custom extension to the encrypted file.

It changes the computer’s wallpaper to a red lock screen and grabs the victim’s attention with the caption, “Badblock in on the block!” It claims that the user’s files have been encrypted using RSA algorithm, an asymmetric cryptographic algorithm that uses two different keys (public and private) commonly used to transmit data securely.

After rendering the files inaccessible, BadBlock demands a ransom of two bitcoins (or $900, according to the ransom note). The user is also provided with help links on how to buy bitcoins and how to transfer them to the attacker’s account.

The ransom note further explains that the decryption process will only start upon verification of payment, which it says can take up to two hours. It also warns, “If your anti-virus gets updated and remove BadBlock automatically, even if you pay the ransom, it will not be able to recover your files!”

DMA Locker 4.0 –Ransomware Prepare For A Distribution

In contrast to the previous versions, DMA Locker 4.0 cannot encrypt files offline. It needs to download the public RSA key from its C&C. That’s why, if the file has been opened on the computer without the internet connection, it will just install itself and wait. If the machine is connected – it runs silently until it finish encrypting all the files. It displays message as below and asks for bitcoin payment:dma_gui4

This time DMA Locker comes with a deception layer added – packed sample have an icon pretending a PDF document. After being run, it moves itself to the same location like it’s previous editions – C:\ProgramData under the name svchosd.exe. In addition to the main sample, we can see two additional files: select.bat and cryptinfo.txt.

cryptinfo.txt is a ransom note, analogical to those that we know from the previous editions – only the content changed. Now it is much shorter and contains a link to the individual website for the victim. It also adds registry keys for the persistence in hkey_users. This time the main sample – svchosd.exe – is saved under the name Windows Firewall and the script select.bat – under Windows Update. Public key is not hardcoded this time, but generated per victim* and downloaded.

RuMMS Android Malware Attacks via SMS Spam, Steals Money from Bank Accounts-Attacking users in Russia

To infect the potential victims, the malicious actors send them SMS texts containing links in the form of hxxp://yyyyyyyy[.]XXXX.ru/mms.apk, which is why FireEye has given the malware the name of “RuMMS.” The people who click on those links then become infected by the malware.

Sends only a simple SMS that lures the victim onto a website, with the promise of seeing a recent MMS message he received from a friend. The website asks the user to download an app to view the MMS, which in fact is the RuMMS malware. This app asks for admin privileges when installing, which most users tend to give. Once this happens, the malware’s first actions are hiding its icons from view, starting collecting data about each victim, and sending it to a C&C server.

Once installed, the malware requests device administrator privileges. Then, it starts running in the background, performing the following malicious actions:

1. Sending device information to a remote command and control (C2) server.
2. Contacting the C2 server for instructions.
3. Sending SMS messages to financial institutions to query account balances.
4. Uploading any incoming SMS messages (including the balance inquiry results) to the remote C2 server.
5. Sending C2-specified SMS messages to phone numbers in the victim’s contacts.
6. Forward incoming phone calls to intercept voice-based two-factor authentication.

From this point on, the malware will start acting as a fully-fledged banking trojan. RuMMS will query various online services to see if the user has bank accounts, and will try to authenticate using the data found on the device. The trojan is capable of intercepting SMS and voice-based two-factor authentication mechanisms, allowing it to pass through the best security measures banks can deploy.

Researchers said that during their investigations, RuMMS never stole more than 600 Ruble ($9 / €8) from victims. Taking small sums allows the attacker to hide the money among a user’s regular credit card transactions, which are usually about the same size.
In order to spread to as many devices as possible, RuMMS will also carry out one last operation, and that’s to access the victim’s contacts list and send out mass SMS messages, with the same spam message the victim received earlier.

This dirty trick ensures that the crooks behind this operations don’t have to rely on their own data banks to infect users, and will count on the malware self-propagating, just like a classic worm virus. At the time of writing, FireEye says they’ve detected around 300 different versions of the malware, and that all domains where the malicious APK was once hosted are now clean and harmless.

Smishing (SMS phishing) offers a unique vector to infect mobile users. The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware. SO be careful when responding to SMS on your mobile phones.

Panda Banker: New Banking Trojan Hits the Market, puts your money at risk

Panda Banker and it’s spreading through Microsoft Word. The hackers use a complex method to ultimately do something simple: steal your money. The Word files exploit a Microsoft Office vulnerability, either CVE-2014-1761 or CVE-2021-0158. Or, the hackers trick you into enabling macros to run. So if while opening any email, you get a popup saying enable macros , do not believe it and delete the mail.

If you do enable macros so Panda Banker can run, it starts collecting information about you, including your user names, the local time where you live, and the antivirus programs you have. It then creates a fingerprint, or ID that’s specific to you and your computer. It then inserts malware onto your banks’ websites, to steal your bank login credentials.

So far, Panda Banker has only stolen people’s bank credentials in the United Kingdom and Australia. Unfortunately, banking trojan attacks like this tend to spread fast, especially when the hackers are successfully stealing money. So, be sure to protect yourself.

Note: Make sure you have a super-secure, always-updated Internet security software on all your devices. We recommend Max total Security.

Following are some of the key locations where it installs itself:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad.exe

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\JavaScripts\notepad.exe