Ztorg Android malware

The Ztorg malware hid in apps on Google’s Play Store to send premium-rate SMS texts and delete incoming SMS messages on Android devices. The apps, called “Magic Browser” and “Noise Detector,” have a combined total of 60,000 user installations. What’s interesting about these apps is that they don’t conceal Ztorg in its traditional device-rooting form. Instead they hide an SMS-based version of the threat.

After a user installs them, the apps wait 10 minutes before connecting to their command-and-control (C&C) server. They then make two GET requests, the first of which includes the first three digits of the Android device’s International Mobile Subscriber Identity (IMSI). If the trojan receives data from the server, it responds with its second GET request containing the first five digits of the IMSI.

magic-browser

The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.

ztorg_sms_en_2

Following these requests, the trojan receives a JSON file of “offers” carrying a string field called “url.” Some of these “url” fields actually contain a URL, in which case Ztorg displays content to the user. In the event the field carries a “SMS” substring, it sends an SMS message to the number provided, turns off the device sound, and starts blocking all incoming SMS text messages.

It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.

RabboLock Ransomware

The R4bb0l0ck file encoder is programmed to scan the machine for available memory disks, and network shared storage that has data associated with software like Microsoft Office, Libre Office, Adobe Acrobat Reader, MySQL, VLC Media Player and Calibre. The threat is reported to use the files ‘hidden-tear.exe,’ ‘R4bb0l0ck.exe,’ and ‘R4bb0l0ck Ransomware.bin’ to facilitate its operation. The RabboLock Ransomware Trojan is programmed to report the IP address, machine GUID, active user account name, and software configuration to its masters before it generates a pair of unique encryption and decryption keys. As all HiddenTear variants do, the R4bb0l0ck Trojan encodes the user’s files using the AES-256 cipher and proceeds to encode the decryption key using the RSA-1024 cipher, which prevents malware researchers from recovering the corrupted data.

This Trojan is another crpto malware which adds the ‘.R4bb0l0ck’ extension to the encoded files. The RabboLock Ransomware is a threat to regular PC users that may open documents attached to spam emails, and lead to a security breach. The programmers responsible for the RabboLock Ransomware have been reported to take advantage of macro scripts embedded into Microsoft Word documents and compromise remote computers.

Our recommendation is be careful while opening email attachments, or fake software products as many malware come bundled with them, or while browsing web sites where scripts may ask you for permission or download something. Immediately terminate such processes or browsers from task manager . Always use Max Total Security to back up your data and Restore when you need it.

$ucyLocker Ransomware

The $ucyLocker Ransomware is a file encoder Trojan that is designed to corrupt data on compromised devices and offers users a chance to recover their data. The authors of the $ucyLocker Ransomware used “VapeHacksLoader.exe” and “Loader-Private” to install the ransomware within the PC. After infecting the computer, this ransomware encrypts files stored in the system and adds .WINDOWS file extension to each of them. Then it outputs some text into a ransom note READ_IT.txt which the virus saves on the desktop. This virus aims to extort the victim as it asks 0.16 BTC in exchange for a decryption key.

lucyLocker

Following message is shown by this ransomware:

Window 1:
‘Your computer is locked. Please do not close this window as that will result in serious computer damage
Click next for more information and payment on how to get your files back.
$usyLocker

Window 2:
‘Your Files are locked. They are locked because you downloaded something with this file in it. This is ransomware. It locks your files until you pay for them. Before you ask, Yes we will give you your files back once you pay and our server confirms that you pay.
Next’

Window 3:
‘I paid, Now give me back my files
Send 0.16 to the address below
[34 RANDOM CHARACTERS]
bitcoin
ACCEPTED HERE’

Do not pay this Ransomware any money as there is no guarantee that it will recover your files. Go to control panel, review and uninstall any unwanted programs that you see. Go to Task manager and delete any processes or services that are not familiar to you and from Max Total Security >Options menu remove any BHOS and Startup entries that you see. From browsers remove any add ins.

Restore all of your files from Max Total Security Restore option.

Executioner (Cellat) ransomware

Executioner (Cellat) is a ransomware-type virus encrypts various data and appends six random characters to a name of each encrypted file. For example, “sample.jpg” might be renamed to “sample.jpg.h80skl” or similar. Executioner (Cellat) then changes the desktop wallpaper and creates an HTML file (“Sifre_Coz_Talimat.html”), placing it in each folder containing encrypted files.

The wallpaper contains a ransom-demand message in Turkish stating that files are encrypted and that a ransom of the equivalent of $150 in Bitcoins must be paid to restore them. It is currently unknown whether Executioner (Cellat) uses symmetric or asymmetric cryptography. In any case, decryption without a unique key is impossible. Cyber criminals store this key on a remote server and victims are encouraged to pay a ransom to receive it. Research shows, however, that these people should never be trusted – cyber criminals often ignore victims once ransoms are submitted. Therefore, never attempt to contact these people or pay any ransom. There is a high probability that paying will not deliver any positive result and you will simply be scammed. Paying is equivalent to sending your money to cyber criminals – you simply support their malicious businesses. Unfortunately, there are no tools capable of restoring files encrypted by Executioner (Cellat). Therefore, you can only restore your files/system from a backup. We recommend using a Total Security approach such as Max Total Security to handle such nuisance.

The Executioner ransomware also known as Cellat ransomware is most likely spread via spam emails containing malicious email attachments, pdf attachments and Word documents prompting the user to enable Macros, etc. Most recent ransomware cases rely on this method of distribution because of its high success rates. Most users tend to be careless with suspicious emails which often lead to ransomware and malware infections.

However, there are other probable methods of infections that could be used by the creators of the Executioner crypto virus. A payload dropper which triggers its malicious script could be spread online. The ransomware may also be spreading the payload file on social media websites and file-sharing services. Another popular method of ransomware and malware distribution is via freeware packages where a program may be bundled with malicious programs.

To avoid infections of that kind, be extremely cautious when dealing with files downloaded from the Web as well as with emails sent by unknown or suspicious entities.

Fireball- a browser-hijacker Infects Nearly 250 Million Computers Worldwide

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS and 20% of corporate networks globally. A Chinese digital marketing company named Rafotech is behind this malware.

Dubbed Fireball, the malware is an adware package that takes complete control of victim’s web browsers and turns them into zombies, potentially allowing attackers to spy on victim’s web traffic and potentially steal their data.

However, Fireball also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.

For now, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either yahoo.com or Google.com to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000. Fireball also installs plug-ins and additional configurations to boost its advertisement activity. Fireball has turned out to be virulent, with an enormous infection rate. The biggest proportion of infections are in India, Brazil and Mexico, and there are more than 5.5 million in the US.

The good news is that Fireball can be removed from PCs by uninstalling the adware using Programs and Features list in the Windows Control Panel, or using the Mac Finder function in the Applications folder on Macs.
Max Total Security for windows and Mac Total Security detects and removes this malware.

The Judy Malware-Android

Up to 36.5 million Android devices may have been infected by malware that produced fake ad clicks and lined the pockets of its developers. 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp., “infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

Google “swiftly” removed the apps from Google Play after being alerted to their existence, but not before they “reached an astonishing spread between 4.5 million and 18.5 million downloads.
judy-malware

Once a user downloads a malicious app, it silently registers receivers which establish a connection with the [Command and Control] server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Keep your Android device protected with the updated Max Total Security for Android.

Despite apps going through periodic reviews, Google’s Play Store security system, named Bouncer, wasn’t able to pick up the malware’s malicious activity.
Google launches new Android security services

On May 17, during the Google I/O annual event, Google announced a new service called Google Play Protect. According to Google, this new service continuously scans all Android apps and user devices for malicious behavior and uses machine learning to detect any suspicious activity. Once it detects a malicious app, it removes it from the phones of all users who installed it.

The new Google Play Protect service suite is currently shipping to all devices with the Google Play app installed.

MoWare H.F.D ransomware

MoWare H.F.D is a ransomware cryptovirus that displays a window with a ransom message. The ransomware is a variant of HiddenTear and places the extension .H_F_D_locked after encryption. MoWare H.F.D ransomware might also distribute its payload file through spam emails, social media and file-sharing services. MoWare H.F.D ransomware makes entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

The MoWare H.F.D Ransomware is perceived as a very threatening Trojan because it is designed to encrypt 666 file types and support limiting the user’s control of the OS. A detailed report from cyber security researchers revealed that the MoWare H.F.D Ransomware could terminate access to the Registry Editor, the Task Manager, and the Command Line tool. Server administrators may have a hard time purging the MoWare H.F.D Ransomware from their network. The Trojan is associated with the ‘.H_F_D_locked’ string that is used a marker to inform users which files have been encrypted. For example, ‘Stars shack.png’ is renamed to ‘Stars shack.png.H_F_D_locked’ and the Windows Explorer does not generate a thumbnail for the photo. The encryption process may trigger error reports in database managers like MySQL, OracleDB and MongoDB. The ransom notification is generated as a program window named ‘MoWare H.F.D’ that says:

‘INFORMATION SECURITY
Your Personal Files has been Encrypted and Locked
Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
Caution: Removing of MoWare H.F.D will not restore access ti your encrypted files.
Frequently Asked Questions
What happened to my files ? understanding the issue
How can i get my files back ? the only way to restore your files
What should i do next ? Buy decryption key
Now you have the last chance to decrypt your files.
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of 0.02 BTC to address: 15nbyuacLHfm3FrC5hz1nigNVqEbDwRUJq
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at heyklog@protonmail.com

You should NOT under any circumstances pay the ransom. Your files may not get restored, and nobody could give you a real guarantee. Moreover, giving money to cybercriminals will likely motivate them to create more ransomware or do other criminal activities. You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

LightningCrypt ransomware

LightningCrypt is a crypto-malware that uses a strong encryption cipher to wreck various data stored on the targeted computer. This file-encrypting virus appends .LIGHTNING file extension to each of the corrupted pictures, audio, video, and text files, documents, databases and other widely used records. As soon as all targeted data is locked, ransomware delivers a ransom note in LightningCrypt_Recover_Instructions.txt file and triggers a pop-up window.

The threatening letter from cyber criminals tells that trying to recover data or delete LightningCrypt ransomware will lead to the data loss. According to the ransom note, the only way to decrypt files is to transfer 0.17 Bitcoins to the provided address. Once the transaction is made, damaged files should be recovered immediately. However, chances that you will never get back your files are quite high.

Cybercriminals created this malicious program to swindle the money from innocent computer users. Thus, they may not bother about decrypting their files because no one can find them and punish for a unkept promise. LightningCrypt infects when you open an infected email attachment. As soon as a person clicks on such file, malware payload is dropped and executed on the system. Apart from encrypting data, ransomware also modifies the registry and makes some entries in order to run itself automatically when Windows OS is launched. What is more, this cyber infection makes computer’s system vulnerable and might open the backdoor to other malware.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

May Ransomware

Month of May we saw a new Ransomware called May Ransomware. Once infiltrated, May encrypts various data using AES-256 and RSA-4096 encryption algorithms and appends filenames with the “.locked” extension (for example, “sample.jpg” is renamed to “sample.jpg.locked”). May then creates a text file (“Restore_your_files.txt”) containing a ransom-demand message and places it in each folder containing encrypted files.

The message informs victims of the encryption and make ransom demands of 1 Bitcoin (approximately, $1750) in exchange for file decryption. As mentioned above, May employs AES and RSA cryptographies and, therefore, decryption without unique keys is impossible. All of the files that get encrypted will receive the same extension appended to them, and that is the ‘.maysomware’ and ‘.locked’ extension.

The criminals provide each of their victims with a personal identification number. Presumably, the hackers keep all the ID’s in some sort of database next to the unique data decryption keys. That’s why the victims are asked to submit this number along with the payment. Nevertheless, this does not mean that you should. On the opposite, you should avoid getting involved in any type of collaboration with the criminals and take all measures possible to remove May virus from your computer.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

Google Play Apps Found Serving Adware

Dozens of applications available on Google Play were found delivering a strain of adware capable of collecting users’ personal information.
With these apps installed, users will have a full screen advertisement popping up at regular intervals even when the app is closed. For example:
adware-popup
The program then downloads another .dex file from cloud.api-restlet.com, which collects the following information from the user’s device:

Email address for Google account
List of apps installed
IMEI identifier and android_id
Screen resolution
Manufacturer, model, brand, OS version
SIM operator
App installation source

To avoid detection, researchers also found XavirAd to use encrypted strings. Each class has its own decryption routine in the class constructor, and although the algorithm remains the same, the keys are different in each class.

Furthermore, the XavirAd library uses anti-sandbox technology to hide from dynamic analysis, stopping malicious behaviors once it detects it is running in a testing environment. It also checks the user’s email address for another safety net that it’s not run by a tester. If the email address contains the following strings, it will stop the action:
The following Google Play apps contain XavirAd, and users may want to avoid them:
apps-used-on-google-play