MIRCOP Crypto-Ransomware

The MIRCOP ransomware is distributed as a malicious document in spam emails, supposedly representing a Thai customs form used when importing or exporting goods. The document requests users to enable macros to be able to sign it, but instead abuses Windows PowerShell to download and execute the malicious payload.

The following screen is showed to the victim, suggesting that the victim has stolen 48.48BTC from a hacktivist group.

mircop-note

In addition to encrypting files on the infected machine, MIRCOP can steal credentials from various applications, including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype, researchers discovered. Users should be careful when receiving mail from unknown sources and should refrain from downloading and opening their attachments if any.

MIRCOP demands users to pay the ransom amount of 48.48 bitcoins (US$ 28,730.70 as of June 23, 2016), which is among the highest demands we have seen. And at the end of the note, the author leaves a bitcoin address. Unlike other ransomware notes where victims are instructed step-by-step on how to make the payment, MIRCOP suggests that the victim is familiar with making bitcoin transactions.

RockLoader Delivers New Bart Encryption Ransomware

A new ransomware by the name Bart is spreading. Victim’s files are encrypted by use of third-party software to compress each file into a password-protected ZIP file, and appends the extension “.bart.zip”. It appears this ransomware is spread by the same vectors as Locky, and appears to mimic it.

The following ransom note is displayed below, and is saved to the desktop as “recovery.txt”.

bart-2

The messages in this campaign had the subjects “Photos” with the attachment “photos.zip”, “image.zip”, “Photos.zip”, “photo.zip”, “Photo.zip”, or “picture.zip.” The zip files contained JavaScript file such as “PDF_123456789.js.

bart-1

Files are encrypted similar to files below:

bart3

The ransom note urges the user to visit a payment portal in order to pay 3 bitcoins (just under $2000 at current exchange rates). The payment portal is similar to the one used by Locky ransomware. By harnessing the skill and judgment of empowered users, an organization can bolster its defenses against malware threats delivered via phishing email.

Overlay Malware spreading via SMS phishing in Europe on Android devices

Overlay malware is a criminal’s Swiss Army Knife. It’s flexible and effective at stealing financial credentials as well as a multitude of other types of sensitive data on an Android device. Overlay malware botnets are expected to proliferate due to to the malware’s proven ability to effectively steal financial credentials alongside other authentication and customer data from mobile devices.

Threat actors typically first setup the command and control (C2) servers and malware hosting sites, then put the malware apps on the hosting sites and send victims SMS messages with an embedded link that leads to the malware app. After landing on the user’s device, the malware launches a process to monitor which app is running in the foreground on the compromised device. When the user launches a benign app into the foreground that the malware is programmed to target (such as a banking app), the malware overlays a phishing view on top of the benign app. The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors.

Smishing (SMS phishing) offers a unique vector to infect mobile users. The latest Smishing campaigns spreading in Europe show that Smishing is still a popular means for threat actors to distribute their malware. In addition, threat actors have been using diversified host schemes and different C2 servers, and have been continuously refining their malicious code to keep infecting more users and evade detection.

To protect against these threats, users should not install apps from outside official app stores, and take caution before clicking any links where the origin is unclear.

Beware Of Nasty zCrypt

First detected by a security researcher named Jack on May 24, the ransomware infects users computers via malicious spam, malicious macros in Microsoft Office documents, and fake software installers. We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A,” Microsoft stated in its Threat Research & Response blog. Microsoft notes in its alert that the ransomware currently targets 88 different file types for encryption.

zcrypt-note

When executed, the malware creates a pop-up that appears to be benign – likely to confuse a user while the malware talks to the command and control server and begins the encryption routine. The pop-up will continue to appear while the malware is running. At this time, there is no known way for users affected by ZCryptor to recover their encrypted files for free, unless they have a secure backup of their data to hand. Upon successful installation, the ransomware proceeds to encrypt the unsuspecting user’s files.

Victims must pay the ransom fee, remove the malware and its files from their computers, and then scan their machines for additional malicious code. This ransomware has a secret. Before it even begins the encryption process, the crypto-malware drops “autorun.inf” on all attached removable drives, effectively creating a copy of itself on all USBs connected to the computer at the time of infection.

This propagation technique sets ZCryptor apart from other ransomware variants like Alpha, which is capable of encrypting files on shared folders only. This newest ransomware may even invoke the notion of a “cryptoworm”, first articulated by Cisco security researcher William Largent back in April. ZCryptor might be a harbinger of threats to come.

Fortunately, we can largely defend against it as we would other ransomware variants, such as by avoiding clicking on suspicious links and email attachments, disabling macros by default, downloading software from trusted sources only, maintaining secure backups, and running an up-to-date anti-virus product capable of scanning removable drives on our computers.