New OS X Ransomware ‘KeRanger’ encrypts Mac files

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft’s Windows operating system.

KeRanger is the name given to what is believed to be the “first fully functional” ransomware on the OS X platform. When incorporated into an app, the malware connects to a remote server via the Tor anonymizing service, then “begins encrypting certain types of document and data files on the system.”

The malware then “demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.” Researchers say the malicious code is “under active development” and seems to be trying to also encrypt users’ Time Machine backups to also prevent them from being able to recover their backed up data.

Transmission BitTorrent client installer for OS X was infected with ransomware, who directly installed Transmission between March 4th and March 5th may be infected with the KeRanger malware. Apple has already revoked the certificate, anyone attempting to open a known-infected version of the Transmission app will now be given a warning dialog box that notes “ will damage your computer. You should move it to the Trash,” or “Transmission can’t be opened. You should eject the disk image.”

A newly discovered Android malware xbot

xbot android malware

It tries to steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of 7 different banks’ apps. It can also remotely lock infected Android devices, encrypt the user’s files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom. In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.

Besides stealing credentials for banking portals, Xbot also pays a lot of attention to getting the user’s credit card details via a phishing page made to look like the Google Play payment page.

Locky Ransomware

Users/Victims receive an email with an attachment disguised as an invoice. Once the user opens the document, a rigged Word file, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, “Enable macro if the data encoding is incorrect”—and then infects the system if the user follows that instruction. After doing so the malware downloads an executable, executes and begins encrypting users’ files.

Like most strains of ransomware, text files left behind by the attackers warn victims their files have been encrypted and that to retrieve them they’ll need to download Tor, visit a special site, and pay a certain amount of Bitcoin.

“When Locky encrypts a file it will rename the file to the format [unique_id][identifier].locky,” It leaves a ransom note text file called “_Locky_recover_instructions.txt” in each directory that’s been encrypted, pointing to servers on the Tor anonymizing network (both via Tor directly and through Internet relays) where the victim can make payment, and changes the Windows background image to a graphic version of the same message. It also stores some of the data in the Windows Registry file under HKCUSoftwareLocky.

Android malware that can ‘wipe phones’ via SMS

A Danish security company has detected an attempt to spread a powerful form of Android malware via text messages.

The malware, dubbed Mazar Android BOT, spreads via SMS and MMS messages. Crafted with a malicious link, the message reads:

“You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.***mms.apk to view the message.” This message links to an Android application package (APK). The user is then prompted to download the package, which is given a generic name — “MMS Messaging” — to make the potential victim more likely to trust the download.

If installed, the malicious code hidden within grants itself administrator rights on an Android device, giving attackers the option to send premium messages without consent, hijack browser sessions, root the device, monitor phone and text messages and retrieve device data.

In addition, but perhaps most crucially, Mazar can also completely erase the infected device and all information stored within, make calls or read texts, as well as read authentication codes sent to the device as part of two-factor authentication systems used by online banking and social media accounts.

However, it will not install on phones where the language is set to Russian.

Are YOUR Skype chats being watched?

The researchers also warned it is so sophisticated, it can hide from even the most popular anti-virus software, making it extremely difficult to detect.

T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher.

It stores critical files dropped by the Trojan in a directory named “Intel.” T9000 is pre-configured to automatically capture data about the infected system and steal files of specific types stored on removable media.

The Trojan is said to involve what’s known as a multi-stage installation process and checks at each point for any installed anti-virus programs. After checking everything, T9000 installs itself and then collects information stored on the infected system, sending it to the hacker’s server.

The malware is said to have spread originally via spear phishing emails sent to organisations in the US. Spear phishing is an e-mail spoofing fraud attempt that targets a specific group or organisation. The intent is to steal intellectual property, financial data, trade or military secrets and other personal information. However, researchers believe this new backdoor malware is so sophisticated it can adapt to be used against any victim that a cybercriminal wishes to hack.

Ransomware Racket Demanding Bitcoin from India cos.

Earlier this month, the ransomware infected three Indian banks and a pharmaceutical company, demanding one bitcoin per compromised computer and reportedly causing millions of dollars in damage.
LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.

Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.

LeChiffre’s encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES. This ransomware is written in Delphi, and that its interface is in Russian.

“LeChiffre looks very unprofessional , practically, no countermeasures against analysis has been taken, but still it has managed to damage.

Here is LeChiffre message after files are infected:


CryptoJoker Ransomware

A new ransomware has been discovered called CryptoJoker that encrypts your data using AES-256 encryption and then demands a ransom in bitcoins to get your files back. The CryptoJoker installer is disguised as a PDF file, which means it is probably distributed via email phishing campaigns. Once the installer is executed it will download or generate numerous executables in the %Temp% folder and one in the %AppData% folder.

When CryptoJoker encrypts your data it will scan all drives, including mapped network drives, on the victim’s computer for files with certain extensions. When it discovers a targeted extension it will encrypt the file and change the filename it so it has a .crjoker extension appended to it. For example, Dog.jpg would become Dog.jpg.crjoker.

Files Associated with CryptoJoker:


Registry Entries associated with CryptoJoker;

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpnp %Temp%\winpnp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvpci %Temp%\drvpci.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefrag %Temp%\windefrag.exe

ModPOS (Modular point of Sale) malware threat rises again

Shopping season swings into high gear, a “highly sophisticated” malware framework that could pose a threat to U.S. retailers using point-of-sale (POS) systems, called ModPOS (for “modular POS”). Security experts are warning of a major new sophisticated POS malware framework which could wreak havoc among US retailers as they head into the busy Black Friday shopping period.

ModPOS is “the most sophisticated point-of-sale (POS) malware , with its complex and sophisticated code base, ModPOS can slip undetected past many types of modern security systems. Its modular nature also provides multiple attack routes, with keylogger, POS scraper and uploader/downloader modules that make it possible to target unique aspects of retailers’ POS systems.

New CryptoWall virus variant v4.0 is out in the wild now

Nasty crypto wall CW4.0 notifies you AFTER it’s done messing with your local and network files, not only data but it also now encrypts file names. Unless you have back up no way any files can be recovered. It is highly recommended to use some backup data program such as provided in Max Total Security which not only backs up but also protects anyone from modifying the files. This way you are fully protected.

The malware researchers also confirmed that encryption algorithm used to encrypt the victim’s files is the unbreakable AES 256 and the key is encrypted using RSA 2048.

The Cryptowall 4.0 infections were observed across the world, including in France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines.

KEMOGE: a vicious new Android malware

This malware is spotted spreading worldwide quickly, and it allows the complete compromise and takeover of the targeted Android device. The malware has turned up in countries such as the U.S., China, Singapore, Indonesia, Russia, England, and France.

A list of popular applications that have been repackaged with Kemoge are:

Smart Touch
Talking Tom
Light Browser
Easy Locker
Privacy Lock
Other adult applications.

On the initial launch of the adware, Kemoge collects device information and uploads it to the server. Then it starts serving ads from the background, which appear all the time, even on the home screen. After that, Kemoge delivers a .zip payload to the devices, which is encrypted multiple times and is made to look as an .mp4. file. After gaining persistent root, it infiltrates itself further into the system with names similar to the launcher service or other services such as the ones from Facebook or Google.

To avoid malware:

  • Never click on suspicious links from emails/SMS/websites/advertisements.
  • Don’t install apps outside the official app store.
  • Keep Android devices updated to avoid being rooted by public known bugs. (Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected.