‘Komplex’ OS X Trojan

Komplex is a Trojan that the Sofacy group created to compromise individuals using OS X devices. The Trojan has multiple parts, first leading with a binder component that is responsible for saving a second payload and a decoy document to the system. We found three different versions of the Komplex binder, one that was created to run on x86, another on x64, and a third that contained binders for both x86 and x64 architectures.

Regardless of architecture, these initial binders all save a second embedded Mach-O file to ‘/tmp/content’. This file is the Komplex dropper used in the next stage of installation and to maintain persistence. After saving the Komplex dropper, these binders would then save a legitimate decoy document to the system and open them using the ‘Preview’ application to minimize suspicion of any malicious activity.
The binder component saves a decoy document named roskosmos_2015-2025.pdf to the system and opens it using the Preview application built into OS X. Figure 2 shows a portion of the 17 page decoy document. This document is titled “Проект Федеральной космической программы России на 2016 – 2025 годы” and describes the Russian Federal Space Program’s projects between 2016 and 2025.
The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell.

Max Total Security for Mac
detects this malware.

Qadars banking trojan targeting UK banks

The Qadars Trojan has been updated to improve its defences and is being tailored to target 18 UK banks. According to the researchers, the UK is back in cyber criminals’ focus, with renewed activity after a period when malware, including GozNym and Zeus, was targeting Germany, Brazil and the US instead.

From a global perspective, Qadars’ operators have been making the rounds, targeting banks in different regions in separate bouts of online banking fraud attacks since 2013. Early campaigns were aimed at banks in France and the Netherlands in 2013 and 2014, but in 2015 to 2016 the top targets were banks in Australia, Canada, the US and the Netherlands.

The top targets are currently banks in the Netherlands, the US, Germany, Poland and the UK.

X-Force Research shows that although most of Qadars’ targets have been banks, a view of the malware’s configurations from recent months proves it is also targeting social networking credentials, online sports betting users, e-commerce platforms, payments and card services. The researchers believe Qadars is supported by experienced cyber crime factions because the malware has used advanced banking malware tactics from the start.


This trojan has the following capabilities:

Hooking the internet browser to monitor and manipulate user activity
Fetching web injections in real time from a remote server
Supplementing fraud scenarios with an SMS hijacking app
Orchestrating the full scope of fraudulent data theft and transaction operation through an automated transfer system panel.
The updated code also gives Qadars more ways to defeat traditional cyber defences.

“Qadars’ new version obfuscates all of its Win32 API calls by employing a common trick often used by banking malware of this grade, such as URLZone, Dridex and Neverquest,” said IBM X-Force. “Beyond the pre-programmed parts of its configuration files, Qadars relies on communication with remote servers and ATS panels to fetch money mule account numbers in real time,” she said. “It also displays social engineering injections delivered from its servers in real time and can enable hidden remote control of infected machines to defraud their owners’ accounts.”

“When the malware code starts to run, and after the packer has completed its part, it dynamically resolves all the memory address of the APIs it’s going to use. Qadars contains hardcoded CRC32 values for all the function names it plans to use. This enables it to resolve the actual memory address of the function it will iterate over the export table of a particular system DLL and compare the CRC32 of the exported function name against the hardcoded one. If a match is found, Qadars saves the memory address of the function in a global variable. The malware adds a twist to this well-known dynamic API resolving method by XORing the hardcoded CRC32 values of the function names with another constant value that’s embedded in the binary itself. By employing this method, Qadars makes it a bit harder for scripts to find and annotate the actual Win32 APIs it uses.

DualToy Trojan -new windows Trojan sideloads risky apps for both iPhones and Android devices

In addition to found in traditional Windows PC malware such as process injection, modifying browser settings, displaying advertisements, DualToy also performs the following activities on Android and iOS devices:

>Downloads and installs Android Debug Bridge (ADB) and iTunes drivers for Windows
>Uses existing pairing/authorization records on infected PCs to interact with Android and/or iOS devices via USB cable
>Downloads Android apps and installs them on any connected Android devices in the background, where the apps are mostly Riskware or Adware
>Copies native code to a connected Android device and directly executes it, and activates another custom to obtain root privilege and to download and install more Android apps in the background
>Steals connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number
>Downloads an iOS app and installs it to connected iOS devices in the background; the app will ask for an Apple ID with password and send them to a server without user’s knowledge (just like AceDeceiver)

Several years ago, Android and iOS began requiring user interaction to authorize a device to pair to another device to prevent the kind of sideloading attack used by DualToy. However, DualToy assumes any physically connected mobile devices will belong to the same owner as the infected PC to which they are connected, which means the pairing is likely already authorized. DualToy tries to reuse existing pairing records to directly interact with mobile devices in the background. Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms.

Almost all samples of DualToy are capable of infecting Android devices connected with the compromised Windows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll, DevApi.dll or app.dll. Then it downloads and sets up ADB environment. Once thi sis done, DualToy will wait for an Android device to connect via USB. Once connected, it will fetch a list of URLs from the C2 server, download the apps, and install them on Android device in the background via the “adb.exe install” command.
Following apps downloaded and installed by DualToy. They’re all games which use Chinese as the default language, and none of them are available in the official Google Play store.

After successfully connecting with an iOS device, DualToy will collect device and system information, encrypt them and send to its C2 server. The collected information includes:
Device name, type, version and model number
Device UUID and serial number
Device baseband version, system build version, and firmware version
Device IMEI
SIM card’s IMSI and ICCID
Phone number
In addition to collecting device information, DualToy also tries to download IPA file(s) from the C2 server and install them on the connected iOS device. When launched for the first time, the app will ask the user to input his or her Apple ID and passwordDualtoy1
DualToy is an example of a cyber threat where the main reasons for infection are generating money through advertising. It can cause potential damage, but the target is not the computer user’s files. DualToy mainly targets China, the United States, UK, Thailand, Spain, and Ireland.
We also suggest users avoid connecting their mobile phones to untrusted devices via USB. The popularity and ubiquitous nature of mobile devices ensures malicious attackers will only continue to refine and develop new mobile malware, which means users and organizations will need to employ protection to desktops, laptops, and networks.

HDDCryptor Ransomware-rewrites a computer’s MBR (Master Boot Record)

“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152”. This message is all that remains for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system does not even start.

While most ransomware we’ve seen only target specific file types or folders stored on local drives, removable media and network shares, we were able to uncover a ransomware family that does not discriminate: HDDCryptor. Detected as Ransom_HDDCRYPTOR.A, HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.

It reaches computers after users download files from malicious websites. Crooks drop the malicious binary on the computer directly, or through an intermediary payload downloaded at a later stage.

This initial binary is named using a random three-digit number in the form of 123.exe. When executed this initial binary drops the following files in a folder on the computer’s system root:

dccon.exe (used to encrypt the disk drive)
log_file.txt (log of the malware’s activities)
Mount.exe (scans mapped drives and encrypts files stored on them)
netpass.exe (used to scan for previously accessed network folders)
netuse.txt (used to store information about mapped network drives)
netpass.txt (used to store user passwords)

To gain boot persistence, HDDCryptor creates a new user called “mythbusters” with password “123456,” and also adds a new service called “DefragmentService,” that runs at every boot. This service calls the ransomware’s original binary (the three-digit exe file). The infection process continues with dccon.exe and Mount.exe. Both these files use DiskCryptor to encrypt the user’s files. Dccon.exe encrypts files on the user’s hard drive, while Mount.exe encrypts files on all mapped network drives, even the ones currently disconnected, but that remained physically reachable.

After the encryption ends, the ransomware rewrites all the MBRs for all hard drive partitions with a custom boot loader. It then reboots the user’s computer without user interaction and shows the following message.

HDDCryptor uses disk and network file-level encryption via DiskCryptor, an open source disk encryption software that supports AES, Twofish and Serpent encryption algorithms, including their combinations, in XTS mode. It also uses DiskCryptor to overwrite the Master Boot Record (MBR) and adds a modified bootloader to display its ransom note, instead of the machine’s normal log-in screen.

With so many ransomware evolving everyday , I can not emphasize the importance of taking data back ups. Take it on external drives , on the same hard disk , take it og gooel drive or any other remote location, do whatever you can to be able to recover your data in such situations. Max Total Security for windows PCs provides very efficient data back up feature.

Overseer App-another security scare for Android users

Google has removed four Android applications from the Play Storeas they were found to be infected with a spyware trojan that harvested information about the infected devices and their users. The apps went by the name Embassy, European News, Russian News and a fourth Russian-language app that used Cyrillic script. Two of these three apps showed news items related to Russia, while the third showed news on European topics. The fourth and last app detected as infected with the spyware could be used to search for embassies around the world

These apps contained a spyware trojan named Overseer, which communicates with a remote command and control (C&C) server located on Amazon AWS, running a Facebook Parse server. All communications are encrypted via HTTPS, but researchers found traces of the malicious behavior in the app’s source code. The spyware, whenever it receives a specific command from its masters, collects a trove of data about the device and sends it back to the C&C server.

The spyware has been dubbed Overseer, and is capable of stealing “significant amounts” of personal data from users.This data includes: The user’s contacts, including name, phone number, email, and times contacted; all user accounts on a compromised device; precise location, including latitude, longitude, network ID, and location area code; free internal and external memory; Device IMEI, IMSI, MCC, MNC, phone type, network operator, device and Android information; and details of installed packages



Adwind RAT, a multi-platform remote access trojan-for Windows and Mac OSX

Adwind RAT, a multi-platform remote access trojan written in Java and that is fully functional on Windows, and partially functional on OS X. Adwind is written in Java, it is capable of infecting all major operating systems where Java is supported, including: Windows, Mac, Linux, and Android. Adwind RAT appears to be spreading as part of a spam email campaign.

It’s important to know that in order to install Adwind malware, it requires Java to be installed. By default, OS X and macOS are not shipped with Java. Therefore, to execute the file, Mac users would need to download the JRE at Oracle.com.
Furthermore, over the years Apple has added a number of security features to its Mac platform. Apple’s macOS and OS X offer built-in security features to protect users from unidentified developer files. Most Mac users are protected by restricting app downloads using secure Gatekeeper settings:

In System Preferences > Security & Privacy > General, Gatekeeper must be set to “Allow apps downloaded from Mac App Store and identified developers.” (To restrict to Mac App Store stuff only, set to “Mac App Store.”).

it’s best to exercise security awareness and caution, and to “not open suspicious email attachments,” in addition to installing an antivirus solution on your Mac.
You can also manually remove the malicious launch file, named org.yrGfjOQJztZ.plist, from your user LaunchAgents folder.

If infected, Mac users may prefer to manually remove the Java app, named BgHSYtccjkN.ELbrtQ, from the Home folder. To remove the Java app via Finder, choose Go > Go to Folder menu, enter /.UQnxIJkKPii/UQnxIJkKPii and then click Go. If it exists, you are infected: Move BgHSYtccjkN.ELbrtQ to the trash. (The files are dropped in the Home Folder. It requires a path, such as /Users/intego/.UQnxIJkKPii/UQnxIJkKPii/BgHSYtccjkN.ELbrtQ.)

To remove the Launch Agent via Finder, choose Go > Go to Folder, enter /Library/LaunchAgents and then click Go. Move org.yrGfjOQJztZ.plist to the Trash. (Example path: /Users/intego/Library/LaunchAgents/org.yrGfjOQJztZ.plist.). And your Mac is clean now.

Sophisticated Mac OS X backdoor

Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). This malware family is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes). The backdoor is also able to execute arbitrary commands on the victim’s computer. To communicate it’s using strong AES-256-CBC encryption.
It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB.

When executed for the first time, the malware copies itself to the first available of the following locations, in this order:

$HOME/Library/App Store/storeuserd

Corresponding to that location, it creates a plist-file to achieve persistence on the system. After that it’s time to establish a first connection with its C&C server using HTTP on TCP port 80. The User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html” content of 208 bytes in length. Then the binary establishes an encrypted connection on TCP port 443 using the AES-256-CBC algorithm.

Its next task is to setup the backdoor features Capturing Audio, Monitoring Removable Storage, Capturing Screen (every 30 sec.), Scanning the file system for Office documents (xls, xlsx, doc, docx).
The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system.

Just like on other platforms, the malware creates several temporary files containing the collected data if the C&C server is not available.

$TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
$TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
$TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
$TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)

Fraudulent phone calls-CallJam Android Malware

Keeping Android smartphones and tablets safe from malicious apps is a constant battle for enterprises, end users, and for Google. This malware basically racks up profit for the attackers by having your device call premium numbers. The only app through which Android users got infected with CallJam is named Gems Chest for Clash Royale. The CallJam malware is hidden inside the game “Gems Chest for Clash Royale” which was uploaded to Play in May.

CallJam shows ads inside browsers, not inside the app.Before being taken down, the app had between 100,000 and 500,000 downloads, a positive rating of 4.0. At the technical level, CallJam is more tricky than fellow adware variants because it does not intrude on the user’s gaming experience by overlaying ads. It does this by opening a browser and showing the ads there.

The app’s more deadly feature is its ability to place premium calls. Fortunately, the app needs to request permissions for this behavior, but we all know how some users just go through all the permissions popups and install whatever is presented to them.
As such, CallJam has managed to infect quite a large number of users, placing calls on their behalf, earning revenue for the crook, and creating unwanted costs for victims. CallJam redirects victims to malicious websites that generate fraudulent revenue for the attacker.

Since it deceives the users as part of its activity, the game has been able to achieve a relatively high rating. Users are asked to rate the game before it initiates under the false pretense that they will receive additional game currency. This is another reminder that attackers can develop high-reputation apps and distribute them on official app stores, putting devices and sensitive data at risk.

.flyper extension virus

Flyper is another ransomware type of virus that encrypts your files and then demands the release fee to get them back. This ransomware changes the names of encrypted files during the process of encryption, by adding .flyper extension to them. And after successful encryption of files, Flyper will create a file on your desktop with name instruction.txt, it will contain an information you need to pay the ransom.
Unfortunately, Flyper takes down a huge variety of file formats. Starting with pictures and music, proceeding with MS Office documents, presentations, videos, etc. This infection practically encrypts all the important data you have. Needless to say that by doing so, Flyper Ransomware might cause you irreversible harm. Once encryption is complete, your files are renamed. You can no longer view or use the target data.
Moreover, other high-level threats such as spyware or rootkits will be downloaded onto your PC to give you more troubles. Even if you pay the ransom money to the hacker behind .flyper extension virus, you will have rare chance to get your files back, because these scammers are never trustworthy person, they are cyber criminals making living by scamming people. Do not pay any single penny to them.
Screenshot of an image that is set as the desktop wallpaper by Flyper ransomware:
The most popular method of infecting with viruses involves spam messages. Keep in mind that sometimes hackers send malware straight to your inbox. One single click on a seemingly harmless message is all the virus needs. To prevent installation, constantly watch out for malware. This nuisance often pretends to be legitimate mail so make no mistake. Delete what you don’t trust.
As soon as the malicious file of Flyper has been activated, it may briefly freeze your computer and the opened Windows may enter “Not Responding” state.
To Remove this Virus:
STEP 1: Stop the malicious process using Windows Task Manager
Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
Locate the process of the ransomware. Have in mind that this is usually a random generated file.
Before you kill the process, type the name on a text document for later reference.
Locate any suspicious processes associated with Flyper encryption Virus.
Right click on the process
Open File Location
End Process
Delete the directories with the suspicious files.
STEP 2: Reveal Hidden Files
Open any folder
Click on “Organize” button
Choose “Folder and Search Options”
Select the “View” tab
Select “Show hidden files and folders” option
Uncheck “Hide protected operating system files”
Click “Apply” and “OK” button
STEP 3: Locate Flyper encryption Virus startup location
Depending on your OS (x86 or x64) navigate to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
and delete the display Name: [RANDOM]
Navigate to your %appdata% folder and delete the executable files which look suspicious.

To recover your data either restore windows to the last known configuration or delete all the files .flyoer extension and restore data from Data back up and Restore software.

DressCode Android malware found in over 40 Google Play Store apps and 400 apps on third-party app stores


The malware is also infecting devices through 400 more apps in third party app stores all around the internet. DressCode App converts infected apps into proxy servers, thereby creating a botnet. Botnets are created by hackers to surreptitiously gain control over a bunch of devices. Bots can generally be used for a variety of purposes, including distributing phishing links, malware and ransomware. A botnet’s capabilities generally depends on its size, therefore, larger botnets come with more extensive capabilities. Researchers speculated that the proxied IP addresses were likely used by the hackers behind the malware to cloak ad clicks and generate false traffic, which in turn reaps profits for the hackers.

Once installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to ‘sleep,’ to keep it dormant until there’s a use for the infected device. When the attacker wants to activate the malware, he can turn the device into a socks proxy, rerouting traffic through it.

Clearly, DressCode poses a serious threat to users. Aside from stealing users’ information, some malware have had the ability to display advertisements and download unwanted applications. As a rule of thumb, they should also be extremely wary of ever installing apps from anywhere else than the official Google Play store. Max Total Security for Android .