CryptoJoker Ransomware

A new ransomware has been discovered called CryptoJoker that encrypts your data using AES-256 encryption and then demands a ransom in bitcoins to get your files back. The CryptoJoker installer is disguised as a PDF file, which means it is probably distributed via email phishing campaigns. Once the installer is executed it will download or generate numerous executables in the %Temp% folder and one in the %AppData% folder.

When CryptoJoker encrypts your data it will scan all drives, including mapped network drives, on the victim’s computer for files with certain extensions. When it discovers a targeted extension it will encrypt the file and change the filename it so it has a .crjoker extension appended to it. For example, Dog.jpg would become Dog.jpg.crjoker.

Files Associated with CryptoJoker:

%Temp%\crjoker.html
%Temp%\drvpci.exe
%Temp%\GetYouFiles.txt
%Temp%\imgdesktop.exe
%Temp%\new.bat
%Temp%\README!!!.txt
%Temp%\sdajfhdfkj
%Temp%\windefrag.exe
%Temp%\windrv.exe
%Temp%\winpnp.exe
%AppData%\dbddbccdf.exe
%AppData%\README!!!.txt22

Registry Entries associated with CryptoJoker;

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpnp %Temp%\winpnp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvpci %Temp%\drvpci.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefrag %Temp%\windefrag.exe

ModPOS (Modular point of Sale) malware threat rises again

Shopping season swings into high gear, a “highly sophisticated” malware framework that could pose a threat to U.S. retailers using point-of-sale (POS) systems, called ModPOS (for “modular POS”). Security experts are warning of a major new sophisticated POS malware framework which could wreak havoc among US retailers as they head into the busy Black Friday shopping period.

ModPOS is “the most sophisticated point-of-sale (POS) malware , with its complex and sophisticated code base, ModPOS can slip undetected past many types of modern security systems. Its modular nature also provides multiple attack routes, with keylogger, POS scraper and uploader/downloader modules that make it possible to target unique aspects of retailers’ POS systems.

New CryptoWall virus variant v4.0 is out in the wild now

Nasty crypto wall CW4.0 notifies you AFTER it’s done messing with your local and network files, not only data but it also now encrypts file names. Unless you have back up no way any files can be recovered. It is highly recommended to use some backup data program such as provided in Max Total Security which not only backs up but also protects anyone from modifying the files. This way you are fully protected.

The malware researchers also confirmed that encryption algorithm used to encrypt the victim’s files is the unbreakable AES 256 and the key is encrypted using RSA 2048.

The Cryptowall 4.0 infections were observed across the world, including in France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines.

KEMOGE: a vicious new Android malware

This malware is spotted spreading worldwide quickly, and it allows the complete compromise and takeover of the targeted Android device. The malware has turned up in countries such as the U.S., China, Singapore, Indonesia, Russia, England, and France.

A list of popular applications that have been repackaged with Kemoge are:

Smart Touch
Calculator
Talking Tom
Light Browser
Easy Locker
Privacy Lock
Other adult applications.

On the initial launch of the adware, Kemoge collects device information and uploads it to the server. Then it starts serving ads from the background, which appear all the time, even on the home screen. After that, Kemoge delivers a .zip payload to the devices, which is encrypted multiple times and is made to look as an .mp4. file. After gaining persistent root, it infiltrates itself further into the system with names similar to the launcher service or other services such as the ones from Facebook or Google.

To avoid malware:

  • Never click on suspicious links from emails/SMS/websites/advertisements.
  • Don’t install apps outside the official app store.
  • Keep Android devices updated to avoid being rooted by public known bugs. (Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected.

new iOS malware

Recently-discovered malware evades Apple’s App Store security net and infects iPhones and iPads, jailbroken or not, displaying full-page ads on Safari and forcing to download a defunct media player.

Called YiSpecter, the malware YiSpecter can infiltrate any iOS device via a variety of means, posing as a genuine Apple-signed app once installed. Once on your iOS device, the app can then make itself invisible to the user by disguising itself as an actual iOS app, or hiding itself from the home screen – which means the user has no means of deleting it.

On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.

There are many ways of installing YiSpecter on the phone, including hijacking traffic from nationwide ISPs, a worm on Windows, offline app installations, and community promotions. The app takes advantage of Apple’s enterprise certificates that are used to sign four app components to fool the operating system into believing it’s a genuine app.

There is a way of removing the malware app and additional apps that it may have installed, but you might require third-party programs that give you access to the phone’s file system – check it out below:

1. In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
2. If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
3. Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
4. In the management tool, check all installed iOS apps; if there are some apps have names like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)

UPDATE: Apple checks in to say that this issue has been fixed starting with iOS 8.4 so stay updated and only download from trusted sources like the App Store and pay attention to any warnings as they download apps.

ATM malware in Mexico

GreenDispenser Malware allows an attacker to walk up to an infected ATM and, with a series of pinpad entries, direct the machine to dispense all of its cash.

Once this has been accomplished, the attacker initates a “deep delete” of GreenDispenser, leaving virtually no trace of the malware,

You probably know the internal computers of ATMs are under lock and key, but you may not know the many of the locks can be opened by a single master key. Hackers in Mexico apparently have copies of that key and are programming the computers to steal your money

once installed on an ATM machine, will display a fake error message that reads: “We regret this ATM is temporary out of service.”

Only the hacker can bypass this error, and the malware unusually requires two-factor authentication. The hacker must first enter a pin code that has been hard-coded into the malware, and then use a smartphone to scan a QR code that appears on the ATM screen.

Apple App Store Malware Outbreak

Apple is moving to contain an outbreak of malware-infected apps that may have been downloaded by hundreds of millions of iOS App Store users.

Apple on Sept. 20 confirmed that it had deleted malicious iPhone, iPad and iPod Touch software after multiple information security firms warned that “XcodeGhost” malware had been found embedded in otherwise legitimate apps, many of which were aimed at Chinese-language speakers.

The malicious apps, included Tencent’s WeChat app, which has an estimated 600 million users, although not all of them would be using the iOS client. Other infected Chinese-language apps included China’s most popular car-hailing app, Didi Kuaidi; a streaming-music app from Internet portal NetEase; the Railway 12306 app, which is the country’s only official app for purchasing train tickets; and a mobile banking app from China CITIC Bank.

The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games.

Ghost Push Android Malware

Ghost Push’ is essentially a Android malware apk build that installs unwanted apps on to your Android device which suck up precious resources and generally run a muck with your phone or tablet. Distributed through non-Google app stores, infecting more than 600,000 new users each day, it cannot be removed easily even through “factory reset.

The maker of the antivirus apps reported that the new virus is contaminating smartphones at a faster pace and it estimated that it’s infecting more than 600,000 users each day.

Banking Trojan Escelar Infects Thousands In Brazil and the US

Attackers deliver the Trojan using generic Portuguese language phishing emails and are currently targeting seven Brazilian banks. Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers. These SQL servers are also used for command and control (C2) functionality.

Escelaris is designed to steal online banking authentication credentials and further compromise the accounts of victims. Even worse, Escelar is capable of manipulating the victim’s banking web session, and also executing fraudulent transactions. Also, Escelar forces the user to connect to the Internet via Internet Explorer (IE). If the victim attempts to use other browsers (e.g. Google Chrome) to access online banking accounts, Escelar generates a false error code which makes the victim return to IE.

The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame.

Escelar is distributed almost exclusively through phishing emails. Organizations should monitor their networks for unexpected outbound Microsoft SQL traffic (App-ID mssql) that may indicate an Escalar infection.

Encryptor RaaS (Ransomware as a Service)

A new Ransomware-as-a-Service (RaaS) advertisement called “Encryptor RaaS”. The service is advertised on an onion-based domain via Tor2Web service.

The seller explicitly calls its website “Ransomware as a Service”, an AV industry language, where the advertised business model closely resembles the recently discovered “Tox” RaaS. The seller earns a 20% commission per infected user who opts to pay ransom. Additionally, all transactions are made via Bitcoin where affiliates or “customers” of this RaaS signs up via their Bitcoin address and victims need Bitcoin to recover their files. Below is a screenshot of the advertisement.They will encrypt all the files (not system files) and then show an ad for you to paythem 99usd for the key to decrypt.

It is always a good idea to regularly back up your files to prevent losing your files in case of a ransomware infection. Max Total Security now offres a Data back up tool which is scheduled to back your data on your hard drive for recovery in such cases of data loss.