RuMMS Android Malware Attacks via SMS Spam, Steals Money from Bank Accounts-Attacking users in Russia

To infect the potential victims, the malicious actors send them SMS texts containing links in the form of hxxp://yyyyyyyy[.]XXXX.ru/mms.apk, which is why FireEye has given the malware the name of “RuMMS.” The people who click on those links then become infected by the malware.

Sends only a simple SMS that lures the victim onto a website, with the promise of seeing a recent MMS message he received from a friend. The website asks the user to download an app to view the MMS, which in fact is the RuMMS malware. This app asks for admin privileges when installing, which most users tend to give. Once this happens, the malware’s first actions are hiding its icons from view, starting collecting data about each victim, and sending it to a C&C server.

Once installed, the malware requests device administrator privileges. Then, it starts running in the background, performing the following malicious actions:

1. Sending device information to a remote command and control (C2) server.
2. Contacting the C2 server for instructions.
3. Sending SMS messages to financial institutions to query account balances.
4. Uploading any incoming SMS messages (including the balance inquiry results) to the remote C2 server.
5. Sending C2-specified SMS messages to phone numbers in the victim’s contacts.
6. Forward incoming phone calls to intercept voice-based two-factor authentication.

From this point on, the malware will start acting as a fully-fledged banking trojan. RuMMS will query various online services to see if the user has bank accounts, and will try to authenticate using the data found on the device. The trojan is capable of intercepting SMS and voice-based two-factor authentication mechanisms, allowing it to pass through the best security measures banks can deploy.

Researchers said that during their investigations, RuMMS never stole more than 600 Ruble ($9 / €8) from victims. Taking small sums allows the attacker to hide the money among a user’s regular credit card transactions, which are usually about the same size.
In order to spread to as many devices as possible, RuMMS will also carry out one last operation, and that’s to access the victim’s contacts list and send out mass SMS messages, with the same spam message the victim received earlier.

This dirty trick ensures that the crooks behind this operations don’t have to rely on their own data banks to infect users, and will count on the malware self-propagating, just like a classic worm virus. At the time of writing, FireEye says they’ve detected around 300 different versions of the malware, and that all domains where the malicious APK was once hosted are now clean and harmless.

Smishing (SMS phishing) offers a unique vector to infect mobile users. The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware. SO be careful when responding to SMS on your mobile phones.

Panda Banker: New Banking Trojan Hits the Market, puts your money at risk

Panda Banker and it’s spreading through Microsoft Word. The hackers use a complex method to ultimately do something simple: steal your money. The Word files exploit a Microsoft Office vulnerability, either CVE-2014-1761 or CVE-2021-0158. Or, the hackers trick you into enabling macros to run. So if while opening any email, you get a popup saying enable macros , do not believe it and delete the mail.

If you do enable macros so Panda Banker can run, it starts collecting information about you, including your user names, the local time where you live, and the antivirus programs you have. It then creates a fingerprint, or ID that’s specific to you and your computer. It then inserts malware onto your banks’ websites, to steal your bank login credentials.

So far, Panda Banker has only stolen people’s bank credentials in the United Kingdom and Australia. Unfortunately, banking trojan attacks like this tend to spread fast, especially when the hackers are successfully stealing money. So, be sure to protect yourself.

Note: Make sure you have a super-secure, always-updated Internet security software on all your devices. We recommend Max total Security.

Following are some of the key locations where it installs itself:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad.exe

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\JavaScripts\notepad.exe

Malware spam: “BalanceUK_INVOICE_X002380_1127878″ / adminservices@grouphomesafe.com

This fake financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment to the email users are receiving, email looks like this:

From: adminservices@grouphomesafe.com
Date: 21 April 2016 at 10:33
Subject: “BalanceUK_INVOICE_X002380_1127878″

Thank you for placing your order with BalanceUK Ltd

Please find attached your document.

BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB

Email: Balanceuk.orders@erahomesecurity.com
Tel: 01935 826 960
Fax: 01935 829 215

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js .

Be careful and do not open any emails if you do not know the sender and specifically do not open any attachments unless you are expecting from someone.

TrueCrypter, another Ransomware

This ransomware currently encrypts files, and adds “.enc” to the filename. Files on the Desktop, in My Documents, My Music, and My Pictures are prioritized, then files on any other allocated drive letters are encrypted.

In addition to accepting BitCoin ransoms (0.2BTC), the criminals also accept Amazon Gift Cards for $115 USD.

This ransomware does delete shadow copies, has a bypass for UAC, and some anti-sandbox techniques to mitigate some automated analysis. Files are encrypted using AES-256, with a cryptographically-strong unique key generated for each individual file. This key is stored at the end of the file, and protected by RSA-2096 using a public key that is acquired from a central server controlled by the criminals.

A list of encrypted files is stored in %APPDATA%\Microsoft\TrueCrypter\Encrypted.dat. This directory also stores a copy of the malicious executable that is set to run on startup, and a TrueCrypter.xml file with settings such as the public RSA key, whether encryption was completed, and whether the key was submitted to the criminal’s server. This allows the ransomware to load up these values on startup.

If the victim pays, the program will automatically start decrypting files on its own. At this time, there is no way to decrypt files for free.

Trojan found in more than 100 Android apps on Google Play Store

Researchers have uncovered a new strain of advertising spyware in more than 100 Android apps downloadable from the official Google Play Store, which is called Android.Spy.277.origin, to its virus database on April 1st, 2016.

Specifically, the malware experts found the trojan in 104 Android applications available for download on the Google Play Store. Those apps claim to offer photo editing services, animated wallpaper themes, and other programs… but in most cases, they don’t work as they claim.

In total, the apps affected by Android.Spy.277.origin are believed to have been downloaded by a staggering 3.2 million users.

The infection process works as follows.

Once a user has installed one of the malicious apps, the trojan collects nearly 30 different pieces of information about the user’s device and transmits them to a remote server operated by a attacker.

The stolen data includes the device’s IMEI number, as well as the device model, OS version, and availability of root access.

At every launch of any installed application, the Trojan resends all the information mentioned before together with the name of the running application. Android.Spy.277.origin also requests certain parameters for advertising on a user’s device. For example, the trojan can try to intimidate the user into installing unwanted applications onto their devices.

Android users are urged to install an anti-virus solution such Max Total Security-Android from google Play on their devices and to install apps only from trusted app developers.

CryptXXX set to become the worst bitcoin-stealing ransomware

CryptXXX, would not only be encrypting files locally and on all mounted drives, “it’s stealing Bitcoins and a large range of other data.”

Not only is CryptXXX a multi-purpose thief, but the company’s analysis shows it spreads in new and powerful ways; through a common trojan called Bedep after infection via the extremely popular Angler exploit kit. After infecting users, the ransomware changes the users’ wallpaper with its ransom note and drops text and HTML ransom notes all over your computer.

You can spot CryptXXX infections by the ransom notes, which are named de_crypt_readme.txt and de_crypt_readme.html, or by the extension they add to all encrypted files, which is .crypt. he standard ransom note asks for 1.2 Bitcoin, which is roughly $515 (€455), a sum that is well above the average of recent ransomware infections.

CryptXXX comes with a data harvesting component. In past infections with the Bedep click-fraud malware. CryptXXX is capable of harvesting information and credentials about the user’s local instant messenger clients, email clients, FTP clients, and Internet browsers. Taking into account that the person behind Bedep, Angler, and Reveton is the same as he one behind even older tools such as the Cool exploit kit, CryptXXX is not your ordinary ransomware variant put together by script kiddies who stole code from open-sourced (and flawed) ransomware variants uploaded on GitHub.

The first signs of the CryptXXX ransomware appeared towards the end of March. Security experts say the ransomware is distributed via Web pages that host the Angler exploit kit. This crimeware kit uses vulnerabilities to push the Bedep click-fraud malware on the users’ systems. Bedep is also known for having “malware downloading” capabilities, so it will download the CryptXXX ransomware as a second-stage infection, dropping it as a delayed execution DLL, set to wait 62 minutes before launching.

New point-of-sale malware

Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS). Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments.

Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS “is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked”, consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.

Multigrain was designed with stealth in mind. It is digitally signed, it installs itself as a service called Windows Module Extension and more importantly, it sends data back to attackers via DNS queries.

Stolen payment card data is first encrypted with a 1024-bit RSA key and then it’s passed through a Base32 encoding process. The resulting encoded data is used in a DNS query for log.[encoded_data].evildomain.com, where “evildomain” is a domain name controlled by the attackers. This query will appear in the authoritative DNS server for the domain, which is also controlled by the attackers.

This technique, while not specific to Multigrain, allows attackers to pass data out of restricted environments where other Internet communication protocols are blocked.

Jigsaw Ransomware

A new ransomware program called Jigsaw encrypts users’ files and then begins to progressively delete them until the victim pays the equivalent of $150 in Bitcoin crypto currency.

The ransomware deletes one file after the first hour has passed and then increases the number of files it deletes in every 60-minutes cycle. If no payment has been made within 72 hours, all remaining files will be deleted.

Jigsaw decryptor utility has been developed and available on internet for free. While security experts managed to find a method to decrypt files this time, there’s no guarantee that they’ll be able to do the same for future versions. Ransomware creators are typically quick to fix their errors.jigsaw

When the Jigsaw ransomware is launched it will scan your drives for certain file extension, encrypt them using AES encryption, and append the .FUN extension to the filename. When encrypting a file it will add the filename to a list of encrypted files located at %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. It will also assign a bitcoin address and save it in the %UserProfile%\AppData\Roaming\System32Work\Address.txt file. Finally, Jigsaw will set an autorun that starts ransomware each time you login to Windows. Unfortunately, each time the ransomware starts, it will also delete 1,000 of the encrypted files.

Files associated with Jigsaw:

%UserProfile%\AppData\Roaming\Frfx\
%UserProfile%\AppData\Roaming\Frfx\firefox.exe
%UserProfile%\AppData\Local\Drpbx\
%UserProfile%\AppData\Local\Drpbx\drpbx.exe
%UserProfile%\AppData\Roaming\System32Work\
%UserProfile%\AppData\Roaming\System32Work\Address.txt
%UserProfile%\AppData\Roaming\System32Work\dr
%UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt

Registry associated with Jigsaw:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe %UserProfile%\AppData\Roaming\Frfx\firefox.exe

New ransomware called CryptoHost

crypto

Yet another breed of Ransomware discovered, it encrypts your data and then demands a ransom of .33 bitcoins or approximately 140 USD to get your files back. In reality, though, your data is not encrypted, but rather copied into a password protected RAR archive . Thankfully, the password created by this infection is easily discovered so infected users can get their files back.

When CryptoHost infects your computer it will move following file extensions into the password protected archive located in the C:\Users\[username]\AppData\Roaming folder:

jpg, jpeg, png, gif, psd, ppd, tiff, flv, avi, mov, qt, wmv, rm, asf, mp4, mpg, mpeg, m4v, 3gp, 3g2, pdf, docx, pptx, doc, 7z, zip, txt, ppt, pps, wpd, wps, xlr, xls, xlsl

This file will have a 41 character name and no extension. An example file is 3854DE6500C05ADAA539579617EA3725BAAE2C57. The password for this archive is the name of the archive combined with the logged in user name. So for example, if the name of the user is Test and the RAR archive is located at C:\Users\Test\AppData\Roaming\3854DE6500C05ADAA539579617EA3725BAAE2C57, the password would be 3854DE6500C05ADAA539579617EA3725BAAE2C57Test.

First thing that you want to do it terminate the cryptohost.exe process from the Task Manager.

Now to get your archived data back, you need to extract the password protected RAR archive with your files in it, install the 7-Zip or winrara or Winzip free application. Once it is installed, open up the C:\Users\[username]\AppData\Roaming folder and locate the archive file using the info described above. Now right-click on it and then select the Extract to “foldername” option, enter the password as described above and press enter. You data will now be extracted into a folder name that is the same name as the RAR archive. When done, open that folder and copy all of the folders in it to the root of your C: drive. Your data files should now be restored.

Now time to manually remove Cryptohost:

When CryptoHost is installed it will create a file called cryptohost.exe and store it in the C:\Users\[username]\AppData\Roaming folder. It will alsocreate an autorun called software that executes the ransomware on login. To remove this infection, simply end the cryptohost.exe process using Task Manager and then delete the cryptohost.exe file. To remove the autorun you can delete this registry value:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software %AppData%\cryptohost.exe

CryptoHost is currently being bundled with a uTorrent installer that when installed extracts the cryptohost.exe to the %AppData% folder and executes it. Once executed, CryptoHost will move all files that match certain extensions into a password protected RAR archive located in the %AppData% folder. The name of the archive will be a SHA1 hash of the following information with any dashes removed.

When the archive is finished being created, the ransomware will then perform a listing of the files in the archive and save that list to the %AppData%\Files file and display the above message to pay.

Search and Remove the following Files associated with the CryptoHost Ransomware:

%Temp%\uTorrent.exeuTorrent.exe
%AppData%\cryptohost.exe
%AppData%\files
%AppData%\processor.exe

Search and Remove the following Registry entries associated with the CryptoHost Ransomware:

HKCU\Software\Classes\FalconBetaAccount
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software %AppData%\cryptohost.exe

Ransomware is the talk of the town lately now-Rokku

One of the most recent threats, known as Rokku Ransomware, is among a growing list of clever ransomware that offers alternative means of paying the ransom fee to decrypt files that have been encrypted by the malware. In the case of Rokku, it is offering computer users a QR scan code, to quickly and conveniently access a payment processing site.

As usual, the infection point is with spam email that comes attached with all sorts of files laced with malware. These email attachments, if downloaded and executed, will start the Rokku ransomware’s encryption process, which uses a hard-to-break (not impossible) RSA-512 crypto algorithm.

rokku

First and foremost, Rokku makes sure to delete shadow volume copies from your hard drive, so backup software won’t be able to recover non-encrypted versions of your files. If you have backups stored offline, then you can restore them from that source. However, with no shadow volume copies, recovering them from the same hard drive is technically impossible.

when Rokku encrypts a victim’s data it will use the Salsa20 algorithm and will encrypt each files with its own unique key. A file’s key is then encrypted using RSA and stored in the last 252 bytes of the associated file. This allows the developers to provide individual decryption keys for test file decryption. This is also the first ransomware that I know of that uses the Salsa20 algorithm, which provides much greater encryption speeds compared to AES. In each folder that is encrypted and in the victim’s Startup folder, Rokku will create two ransom notes titled README_HOW_TO_UNLOCK.HTML and README_HOW_TO_UNLOCK.TXT. These ransom notes contain information on what has happened to the victim’s files and links to Rokku’s Tor payment site.

An interesting feature of Rokku is the use of the Google Website Translator Plugin in the ransom notes. This allows them to create one English ransom note and easily use the translator for those who do not understand English.