Malware spam: “BalanceUK_INVOICE_X002380_1127878″ /

This fake financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment to the email users are receiving, email looks like this:

Date: 21 April 2016 at 10:33
Subject: “BalanceUK_INVOICE_X002380_1127878″

Thank you for placing your order with BalanceUK Ltd

Please find attached your document.

BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
TA12 6HB

Tel: 01935 826 960
Fax: 01935 829 215

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. Inside that ZIP file is another ZIP file named and in there is a malicious script named 4812610-20.04.2016.js .

Be careful and do not open any emails if you do not know the sender and specifically do not open any attachments unless you are expecting from someone.

TrueCrypter, another Ransomware

This ransomware currently encrypts files, and adds “.enc” to the filename. Files on the Desktop, in My Documents, My Music, and My Pictures are prioritized, then files on any other allocated drive letters are encrypted.

In addition to accepting BitCoin ransoms (0.2BTC), the criminals also accept Amazon Gift Cards for $115 USD.

This ransomware does delete shadow copies, has a bypass for UAC, and some anti-sandbox techniques to mitigate some automated analysis. Files are encrypted using AES-256, with a cryptographically-strong unique key generated for each individual file. This key is stored at the end of the file, and protected by RSA-2096 using a public key that is acquired from a central server controlled by the criminals.

A list of encrypted files is stored in %APPDATA%\Microsoft\TrueCrypter\Encrypted.dat. This directory also stores a copy of the malicious executable that is set to run on startup, and a TrueCrypter.xml file with settings such as the public RSA key, whether encryption was completed, and whether the key was submitted to the criminal’s server. This allows the ransomware to load up these values on startup.

If the victim pays, the program will automatically start decrypting files on its own. At this time, there is no way to decrypt files for free.

Trojan found in more than 100 Android apps on Google Play Store

Researchers have uncovered a new strain of advertising spyware in more than 100 Android apps downloadable from the official Google Play Store, which is called Android.Spy.277.origin, to its virus database on April 1st, 2016.

Specifically, the malware experts found the trojan in 104 Android applications available for download on the Google Play Store. Those apps claim to offer photo editing services, animated wallpaper themes, and other programs… but in most cases, they don’t work as they claim.

In total, the apps affected by Android.Spy.277.origin are believed to have been downloaded by a staggering 3.2 million users.

The infection process works as follows.

Once a user has installed one of the malicious apps, the trojan collects nearly 30 different pieces of information about the user’s device and transmits them to a remote server operated by a attacker.

The stolen data includes the device’s IMEI number, as well as the device model, OS version, and availability of root access.

At every launch of any installed application, the Trojan resends all the information mentioned before together with the name of the running application. Android.Spy.277.origin also requests certain parameters for advertising on a user’s device. For example, the trojan can try to intimidate the user into installing unwanted applications onto their devices.

Android users are urged to install an anti-virus solution such Max Total Security-Android from google Play on their devices and to install apps only from trusted app developers.

CryptXXX set to become the worst bitcoin-stealing ransomware

CryptXXX, would not only be encrypting files locally and on all mounted drives, “it’s stealing Bitcoins and a large range of other data.”

Not only is CryptXXX a multi-purpose thief, but the company’s analysis shows it spreads in new and powerful ways; through a common trojan called Bedep after infection via the extremely popular Angler exploit kit. After infecting users, the ransomware changes the users’ wallpaper with its ransom note and drops text and HTML ransom notes all over your computer.

You can spot CryptXXX infections by the ransom notes, which are named de_crypt_readme.txt and de_crypt_readme.html, or by the extension they add to all encrypted files, which is .crypt. he standard ransom note asks for 1.2 Bitcoin, which is roughly $515 (€455), a sum that is well above the average of recent ransomware infections.

CryptXXX comes with a data harvesting component. In past infections with the Bedep click-fraud malware. CryptXXX is capable of harvesting information and credentials about the user’s local instant messenger clients, email clients, FTP clients, and Internet browsers. Taking into account that the person behind Bedep, Angler, and Reveton is the same as he one behind even older tools such as the Cool exploit kit, CryptXXX is not your ordinary ransomware variant put together by script kiddies who stole code from open-sourced (and flawed) ransomware variants uploaded on GitHub.

The first signs of the CryptXXX ransomware appeared towards the end of March. Security experts say the ransomware is distributed via Web pages that host the Angler exploit kit. This crimeware kit uses vulnerabilities to push the Bedep click-fraud malware on the users’ systems. Bedep is also known for having “malware downloading” capabilities, so it will download the CryptXXX ransomware as a second-stage infection, dropping it as a delayed execution DLL, set to wait 62 minutes before launching.

New point-of-sale malware

Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS). Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments.

Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS “is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked”, consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.

Multigrain was designed with stealth in mind. It is digitally signed, it installs itself as a service called Windows Module Extension and more importantly, it sends data back to attackers via DNS queries.

Stolen payment card data is first encrypted with a 1024-bit RSA key and then it’s passed through a Base32 encoding process. The resulting encoded data is used in a DNS query for log.[encoded_data], where “evildomain” is a domain name controlled by the attackers. This query will appear in the authoritative DNS server for the domain, which is also controlled by the attackers.

This technique, while not specific to Multigrain, allows attackers to pass data out of restricted environments where other Internet communication protocols are blocked.

Jigsaw Ransomware

A new ransomware program called Jigsaw encrypts users’ files and then begins to progressively delete them until the victim pays the equivalent of $150 in Bitcoin crypto currency.

The ransomware deletes one file after the first hour has passed and then increases the number of files it deletes in every 60-minutes cycle. If no payment has been made within 72 hours, all remaining files will be deleted.

Jigsaw decryptor utility has been developed and available on internet for free. While security experts managed to find a method to decrypt files this time, there’s no guarantee that they’ll be able to do the same for future versions. Ransomware creators are typically quick to fix their errors.jigsaw

When the Jigsaw ransomware is launched it will scan your drives for certain file extension, encrypt them using AES encryption, and append the .FUN extension to the filename. When encrypting a file it will add the filename to a list of encrypted files located at %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. It will also assign a bitcoin address and save it in the %UserProfile%\AppData\Roaming\System32Work\Address.txt file. Finally, Jigsaw will set an autorun that starts ransomware each time you login to Windows. Unfortunately, each time the ransomware starts, it will also delete 1,000 of the encrypted files.

Files associated with Jigsaw:


Registry associated with Jigsaw:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe %UserProfile%\AppData\Roaming\Frfx\firefox.exe

New ransomware called CryptoHost


Yet another breed of Ransomware discovered, it encrypts your data and then demands a ransom of .33 bitcoins or approximately 140 USD to get your files back. In reality, though, your data is not encrypted, but rather copied into a password protected RAR archive . Thankfully, the password created by this infection is easily discovered so infected users can get their files back.

When CryptoHost infects your computer it will move following file extensions into the password protected archive located in the C:\Users\[username]\AppData\Roaming folder:

jpg, jpeg, png, gif, psd, ppd, tiff, flv, avi, mov, qt, wmv, rm, asf, mp4, mpg, mpeg, m4v, 3gp, 3g2, pdf, docx, pptx, doc, 7z, zip, txt, ppt, pps, wpd, wps, xlr, xls, xlsl

This file will have a 41 character name and no extension. An example file is 3854DE6500C05ADAA539579617EA3725BAAE2C57. The password for this archive is the name of the archive combined with the logged in user name. So for example, if the name of the user is Test and the RAR archive is located at C:\Users\Test\AppData\Roaming\3854DE6500C05ADAA539579617EA3725BAAE2C57, the password would be 3854DE6500C05ADAA539579617EA3725BAAE2C57Test.

First thing that you want to do it terminate the cryptohost.exe process from the Task Manager.

Now to get your archived data back, you need to extract the password protected RAR archive with your files in it, install the 7-Zip or winrara or Winzip free application. Once it is installed, open up the C:\Users\[username]\AppData\Roaming folder and locate the archive file using the info described above. Now right-click on it and then select the Extract to “foldername” option, enter the password as described above and press enter. You data will now be extracted into a folder name that is the same name as the RAR archive. When done, open that folder and copy all of the folders in it to the root of your C: drive. Your data files should now be restored.

Now time to manually remove Cryptohost:

When CryptoHost is installed it will create a file called cryptohost.exe and store it in the C:\Users\[username]\AppData\Roaming folder. It will alsocreate an autorun called software that executes the ransomware on login. To remove this infection, simply end the cryptohost.exe process using Task Manager and then delete the cryptohost.exe file. To remove the autorun you can delete this registry value:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software %AppData%\cryptohost.exe

CryptoHost is currently being bundled with a uTorrent installer that when installed extracts the cryptohost.exe to the %AppData% folder and executes it. Once executed, CryptoHost will move all files that match certain extensions into a password protected RAR archive located in the %AppData% folder. The name of the archive will be a SHA1 hash of the following information with any dashes removed.

When the archive is finished being created, the ransomware will then perform a listing of the files in the archive and save that list to the %AppData%\Files file and display the above message to pay.

Search and Remove the following Files associated with the CryptoHost Ransomware:


Search and Remove the following Registry entries associated with the CryptoHost Ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software %AppData%\cryptohost.exe

Ransomware is the talk of the town lately now-Rokku

One of the most recent threats, known as Rokku Ransomware, is among a growing list of clever ransomware that offers alternative means of paying the ransom fee to decrypt files that have been encrypted by the malware. In the case of Rokku, it is offering computer users a QR scan code, to quickly and conveniently access a payment processing site.

As usual, the infection point is with spam email that comes attached with all sorts of files laced with malware. These email attachments, if downloaded and executed, will start the Rokku ransomware’s encryption process, which uses a hard-to-break (not impossible) RSA-512 crypto algorithm.


First and foremost, Rokku makes sure to delete shadow volume copies from your hard drive, so backup software won’t be able to recover non-encrypted versions of your files. If you have backups stored offline, then you can restore them from that source. However, with no shadow volume copies, recovering them from the same hard drive is technically impossible.

when Rokku encrypts a victim’s data it will use the Salsa20 algorithm and will encrypt each files with its own unique key. A file’s key is then encrypted using RSA and stored in the last 252 bytes of the associated file. This allows the developers to provide individual decryption keys for test file decryption. This is also the first ransomware that I know of that uses the Salsa20 algorithm, which provides much greater encryption speeds compared to AES. In each folder that is encrypted and in the victim’s Startup folder, Rokku will create two ransom notes titled README_HOW_TO_UNLOCK.HTML and README_HOW_TO_UNLOCK.TXT. These ransom notes contain information on what has happened to the victim’s files and links to Rokku’s Tor payment site.

An interesting feature of Rokku is the use of the Google Website Translator Plugin in the ransom notes. This allows them to create one English ransom note and easily use the translator for those who do not understand English.

Ransomware Petya encrypts not files but whole hard drive

To achieve its goal, the attacker sends out innocuous looking email that purports to be from a job applicant, with instructions to download a CV hosted in a Dropbox folder. When following the link, an EXE file is downloaded. When running the exe file, the PC crashes with a bluescreen and reboots. Prior to the reboot, the Master Boot Record (MBR) of the system is manipulated in a way which allows Petya to control the boot process.

Petya sets itself apart by the volume of data it tries to encrypt. While most ransomware are content encrypting single files, usually documents that seem important, Petya goes for the entire hard drive instead. After the user unwittingly runs the ransomware carrying program, Petya takes over the bootloaded and restarts the computer. Then it will display a screen informing the user that Windows is performing a check disk operation when, in fact, it is already tying to encrypt the entire disk in the process. Once done, it reveals its true colors, literally, directing the victim to browse to a specific website using TOR for anonymity. The website, in turn, contains instructions on how to pay the ransom. The ransom doubles in price after 7 days.


We recommend not paying the requested ransom and as soon as you read this blog, ensure that all your data is backed up. That way, you can just copy that image back across, should the worst happen.

This is by no means the first ransomware online, it’s part of a worrying trend that seems to line up businesses as more lucrative victims than individuals – one hospital this year has already paid $17,000 in bitcoins after it was locked out of its network.

As with many of these attacks, Petya relies on computer users clicking links sent in emails before really considering what they are, or the potential implications. One sure-fire way to cut down on these is just to simply refuse to open random files from people you don’t know. Be careful , do not open any attachments of click on any links that you have no concern about or not expecting.

PowerWare uses Windows PowerShell to encrypt files

PowerWare a crypto-ransomware, how it is different from other crypto malware is that it is fileless, which is a tactic adopted by other malware families pushed in prolific exploit kits such as Angler. A malware family called PowerSniff has similar behaviors to PowerWare, including fileless infections.

Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.

The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks. The program that actually does all the encrypting of the files is PowerShell. A script is downloaded and fed to PowerShell. This means no ‘traditional’ malware – no additional executable needed – just a text document (script).

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC. The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.