Karma ransomware

Karma Ransomware, which pretends to be a Windows optimization program called fakeWindows-TuneUp. What is worse is that this sample was discovered as software that would potentially be distributed by a pay-per-install software monetization company when people install free software downloaded from the Internet.
It turns out that this malicious file-encrypting software was distributed (used to, because currently, this ransomware is no longer active because its Command&Control servers were taken down already) along other freeware and presented as recommended additional software that can help the user speed up a slow computer and fix other perfomance-related issues. This malicious program even used to have an official website; however, it is no longer active. Clearly, scammers had put great efforts into making people believe that Windows-TuneUp is a legitimate tool; however, it didn’t take long to realize that in reality it is a Trojan that disseminates Karma ransomware.
When the victim downloads and installs this program, it automatically launches and pretends to be checking the system for errors and problems that need to be fixed. While the victim explores the panel of this fake optimization tool, the virus actually scans system folders and encrypts target files with a sophisticated cipher. The real intention of this PC optimization software emerges when it triggers a ransom note.

windows-tuneup

Files associated with the Karma Ransomware
Windows-TuneUp.exe

Registry entries associated with the Karma Ransomware

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer “auth”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Saffron”= “%Desktop%\\# DECRYPT MY FILES #.html”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Safron”= “%Desktop%\\# DECRYPT MY FILES #.txt”

IOCs:
SHA256: 6545ae2b8811884ad257a7fb25b1eb0cb63cfc66a742fa76fd44bddd05b74fe8
SHA256: cf5fda29f8e1f135aa68620ce7298e930be2cb93888e3f04c9cd0b13f5bc4092

Network Communication:
karma2xgg6ccmupd.onion
windows-tuneup.com/web293/xUser.php

Finally, users of any computing devices should be careful before downloading any software and decline any free software. Also keep a good anti virus program such as Max Total Security and have peace of mind with advance detection and daily data backup (just in case some ransomware makes it to your files!).

iRansom Ransomware

iRansom encrypts files and appends the “.Locked” extension to the name of each encrypted file. For example, “sample.jpg” is renamed to “sample.jpg.Locked”. Following successful encryption, iRansom opens a pop-up window containing a ransom-demand message. iRansom Ransomware threatens your personal files, and, if you do not stop this infection in time, all of your documents, media files, photos, archives, and other valuable files could be encrypted. The threat uses the AES (Advanced Encryption Standard) encryption algorithm to lock up your files, and it can do that silently. It is most likely that you will not notice that your files were encrypted at all, until the ransom note pops up on the screen. If this screen has already popped up, there is nothing you can do to stop the encryption process because it is already complete.

To manually delete iRansom Ransomware

  • Launch Task Manager by tapping keys Ctrl+Shift+Esc (or tap Ctrl+Alt+Delete and select Task Manager).
  • Click the Processes tab and select the malicious process (it could be named iRansom.exe).
  • Click the End Task/End Process button below and exit the utility.
  • Right-click the malicious .exe file (file name and location are unknown) and select Delete.
  • Launch RUN by tapping Win+R keys and enter regedit.exe into the dialog box.
  • In Registry Editor move to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  • Right-click the malicious value (it could be named iRansom) and select Delete.
  • Install a good Anti Virus solution such as Max Total Security and scan your operating system to make sure your PC is now clean.

Keep spam emails away and scan with a good anti virus everyday. Back up your data daily and never pay ransom if stuck with the malware.

ISHTAR Ransomware

ISHTAR Ransomware is another variant of Cryptovirus ransomware. This name has been kept from the very infamous Israeli singer’s name or from the Mesopotamia goddess of war, sex, power, fertility and love. This ransomware encrypts user’s files and append a extension “ISHTAR” before the name of the encrypted files and demands a ransom payment to restore access to the compromised data.

The interesting thing with this particular type of ransomware is that it doesn’t change the file name extension. It merely adds a preffix to the file name with the “Ishtar” name. The ransomware note is written in both languages and is named “README-ISHTAR.txt”. Ishtar Ransomware can be distributed via various means – email spam campaigns, malicious ads, browser hijacker redirects and software bundles downloaded from untrusted sources. It also deletes the shadow volume copies from the Windows OS with using following command :

“vssadmin.exe delete shadows /all /Quiet”We highly recommend that you follow good security practices to stay protected from this and other threats.

Ransomware like ISHTAR greets the victims to buy and send 1 Bitcoin to their wallet address. Security researchers highly advised to the users to do not fall in the trap of ransomware hackers and do not pay the ransom money because they will not going to provide any decryption tool after the payment. So the better option is to remove it from your system and run a backup on your system to retrieve your data. you can delete ISHTAR Ransomware using a strong antivirus program such Max Total Security which not only provides continuous protection from latest malware but also gives you daily file back up so that you can easily revert your data.

Android banking malware masquerades as Flash Player

The malware masquerades as a Flash Player app that, once installed, appears in a phone launcher, If a phone owner launches the app they see a fake Google Play screen asking for permissions that grant the malware administrator rights.

androidflash1

androidflash2
Then, when a banking app is opened, the malware creates a fake overlay, tricking victims into entering their login credentials. Among the bank apps being targeted are those of NAB, ING Direct and Citi, as well as PayPal. In addition, the malware is also taking aim at social media apps. When users launch Facebook, Whatsapp, Snapchat, Twitter, Instagram and more, they are faced with a screen overlay asking for payment card details.

Meanwhile, due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. Users can disable the device administrator rights through their phone settings and then uninstall the fake Flash Player.

Locky Ransomware switches to THOR Extension

A new variant of the infamous Locky ransomware is released, more than 14 million virus-laden emails have gone out so far. These spam messages come with a booby-trapped .zip file attachment that poses as an invoice or letter of complaint to a targeted organisation but actually contains malicious JavaScript. This new variant is currently being distributed through a variety of SPAM campaigns with VBS, JS, and other attachments. One SPAM campaign that I have seen has a subject line of Budget forecast and contains a ZIP attachment called budget_xls_[random_chars].zip.

Victims who open the attachment on a Windows PC end up with an infected machine and scrambled files. The latest attack has switched from appended the .SH*T extension to encrypted files to using the .THOR extension instead. When the Locky SPAM attachments are executed, they will download an encrypted DLL, decrypt it on the victim’s computer, and then execute it using Rundll32.exe to encrypt a victim’s files.

Once executed it will scan for targeted file types and encrypt them to a scrambled name with the .thor exension. For example, a file called accounting.xlsx could be renamed to 024BCD33-41D1-ACD3-3EEA-84083E322DFA.thor. The format for this naming scheme is first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].thor. Unfortunately it is not possible to decrypt the Locky Ransomware Thor Variant.

At this time the only way to recover encrypted files is via a backup. Do not forget to scehdule daily back up module using Max Total Security.

Smash! Ransomware blocks access to various windows processes and applications

A ransomware pretending to be very scary, has been reported by malware researchers Computer to be completely harmless and solely block access to various windows processes and applications. Anyone who has been infected by this virus should not be scared and not pay any ransom to the cyber-criminals behind Smash!, since this low-quality virus may either be a test virus, malware that is sometimes being released to see if the infection works successfully, or a low-quality malware by script-kiddies.

Ransomware and uses a cute image of the Super Mushroom from Super Mario Bros holding a knife. Thought it calls itself a ransomware and threatens to delete your files after a timer runs down, in reality this malware is more like a screenlocker and does not delete anything from the computer. Furthermore, many of the functions are not coded yet so this is either a poorly created program or a development version.

When executed, the Smash! will display a series of messages that attempt to welcome you to the program. These messages are displayed below.
Untitled-1

When you get to the last message and press OK, it will display a screen with a timer labeled File Kill Timer and then prompts you to enter a 7 digit code to close down the program.
Untitled-2

As of right now, you can type whatever you want into the code box and pressing the button won’t do anything. This is because the function that corresponds to clicking the button is currently empty . Furthermore, when the timer runs down it will change the screen to imply it is deleting files from the infected computer. In reality, it is not doing anything as the program does not currently have any ability to delete a victim’s files.

Ultimately, with its lack of dangerous functionality and by using characters from Super Mario Bros, Smash! Ransomware is cute rather than damaging. What does currently work is that it blocks certain programs from executing. For example, if you try to run Regedit, Task Manager, or a CMD prompt, it will attempt terminate the process and display a message box stating that the programs are blocked. As this malware does not configure an autostart, you can simply reboot your computer and the infection will no longer be running on login.

More-powerful IoT botnet after Mirai code goes public

Mirai malware published its source code online, the Internet of Things (IoT) devices has become highly vulnerable to malware infections. Initially, the experts didn’t pay much attention to the probability of increased infection in IoT devices after its source code became public. However, when massive distributed denial of service (DDoS) attacks were launched against Brian Krebs’ website and OVH, website hosting services provider, made the experts come together and take notice.

Reports this week are claiming that the Mirai IoT malware has now infected almost half a million IoT devices. The new data confirms the importance of securing IoT devices to prevent massive DDOS attacks. It also confirms the low level of sophistication of the exploit: mainly common/default user ID and passwords.

It must be noted that over 80% bots are actually DVRs due to which Mirai malware can identify and infect a wide range of IoT devices including Linux servers, routers, IP cameras and Sierra Wireless’ gateways. At least one-quarter of the infected IoT devices are present in the US after which comes Brazil with 23% and then comes Colombia with 8% of total identified infected devices.

Wild Fire ransomware rebrands itself as HadesLocker

The WildFire Locker ransomware has rebranded itself using the apropos name of Hades Locker. In late August, WildFire Locker disappeared after the organizations behind NoMoreRansom.org were able to seize control of the ransomware’s Command & Control servers. This allowed NoMoreRansom to gain access to many of the decryption keys for the ransomware’s victims. Unfortunately, the ransomware developers were not apprehended and it now appears they have been biding their time before releasing a new ransomware.
It is not currently unknown how Hades Locker is being distributed, but once executed it will connect to http://ip-api.com/xml to retrieve the IP address of the victim and their geographic location. It will then send a unique victimID, called hwid, a tracking ID, which is currently set to 0002, the computer name, the user name, the country, and the IP address of the victim to one of the configured Command & Control servers. The command and control server will then reply with a password to use to encrypt the files using AES encryption.
During this process, Hades Locker will store in the Registry the hwid and a Status entry that will either be set to 0 or 1 depending on whether the encryption process has been finished. The registry key this information is written to is:
HKCU\Software\Wow6232Node

Hades Locker will now begin to encrypt all of the files on mapped drives that match certain file extensions. When encrypting the files it will use AES encryption and append an extension made up of the string “.~HL” plus the first 5 letters of the encryption password. For example, test.jpg could be encrypted as test.jpg.~HLH6215.
haderlocker
While performing encryption, it will skip any files whose path contain the following strings:

windows
program files
program files (x86)
system volume information
$recycle.bin

To prevent victims from recovering their files from the Shadow Volume Copies, it will delete them using the following command:
WMIC.exe shadowcopy delete /nointeractive

Finally, in each folder that a file is encrypted it will also create three ransom notes named README_RECOVER_FILES_[victim_id].html, README_RECOVER_FILES_[victim_id].png, and README_RECOVER_FILES_[victim_id].txt.

When a victim connects to the payment site they will be shown a general information page that describes how much they need to pay, what bitcoin address a payment should be sent to, and information on how to get bitcoins. On this payment site the developers refer to themselves as a company called Hades Enterprises.haderlockerpayment-site

Files associated with Hades Locker:
README_RECOVER_FILES_[victim_id].html
README_RECOVER_FILES_[victim_id].png
README_RECOVER_FILES_[victim_id].txt
%UserProfile%\AppData\Local\Temp\RarSFX0\
%UserProfile%\AppData\Local\Temp\RarSFX0\Ronms.exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ronms.lnk
%UserProfile%\AppData\Roaming\wow6232node\
%UserProfile%\AppData\Roaming\wow6232node\Bamvenagxe.xml
%UserProfile%\AppData\Roaming\wow6232node\Ronms.exe

Registry Entries associated with Hades Locker:
HKCU\Software\Wow6232Node\hwid [victim_id]
HKCU\Software\Wow6232Node\status 1

Network Communication associated with Hades Locker:
n7457xrhg5kibr2c.onion
http://pfmydcsjib.ru
http://jdybchotfn.ru

Our recommendation, like always, maintian a good back up copy of all of your files, use a good Security program like Max Total Security provides data back up along with the detection of this Malware files.

‘Komplex’ OS X Trojan

Komplex is a Trojan that the Sofacy group created to compromise individuals using OS X devices. The Trojan has multiple parts, first leading with a binder component that is responsible for saving a second payload and a decoy document to the system. We found three different versions of the Komplex binder, one that was created to run on x86, another on x64, and a third that contained binders for both x86 and x64 architectures.

Regardless of architecture, these initial binders all save a second embedded Mach-O file to ‘/tmp/content’. This file is the Komplex dropper used in the next stage of installation and to maintain persistence. After saving the Komplex dropper, these binders would then save a legitimate decoy document to the system and open them using the ‘Preview’ application to minimize suspicion of any malicious activity.
The binder component saves a decoy document named roskosmos_2015-2025.pdf to the system and opens it using the Preview application built into OS X. Figure 2 shows a portion of the 17 page decoy document. This document is titled “Проект Федеральной космической программы России на 2016 – 2025 годы” and describes the Russian Federal Space Program’s projects between 2016 and 2025.
Sofacy
The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell.


Max Total Security for Mac
detects this malware.

Qadars banking trojan targeting UK banks

The Qadars Trojan has been updated to improve its defences and is being tailored to target 18 UK banks. According to the researchers, the UK is back in cyber criminals’ focus, with renewed activity after a period when malware, including GozNym and Zeus, was targeting Germany, Brazil and the US instead.

From a global perspective, Qadars’ operators have been making the rounds, targeting banks in different regions in separate bouts of online banking fraud attacks since 2013. Early campaigns were aimed at banks in France and the Netherlands in 2013 and 2014, but in 2015 to 2016 the top targets were banks in Australia, Canada, the US and the Netherlands.

The top targets are currently banks in the Netherlands, the US, Germany, Poland and the UK.

X-Force Research shows that although most of Qadars’ targets have been banks, a view of the malware’s configurations from recent months proves it is also targeting social networking credentials, online sports betting users, e-commerce platforms, payments and card services. The researchers believe Qadars is supported by experienced cyber crime factions because the malware has used advanced banking malware tactics from the start.

qadar

This trojan has the following capabilities:

Hooking the internet browser to monitor and manipulate user activity
Fetching web injections in real time from a remote server
Supplementing fraud scenarios with an SMS hijacking app
Orchestrating the full scope of fraudulent data theft and transaction operation through an automated transfer system panel.
The updated code also gives Qadars more ways to defeat traditional cyber defences.

“Qadars’ new version obfuscates all of its Win32 API calls by employing a common trick often used by banking malware of this grade, such as URLZone, Dridex and Neverquest,” said IBM X-Force. “Beyond the pre-programmed parts of its configuration files, Qadars relies on communication with remote servers and ATS panels to fetch money mule account numbers in real time,” she said. “It also displays social engineering injections delivered from its servers in real time and can enable hidden remote control of infected machines to defraud their owners’ accounts.”

“When the malware code starts to run, and after the packer has completed its part, it dynamically resolves all the memory address of the APIs it’s going to use. Qadars contains hardcoded CRC32 values for all the function names it plans to use. This enables it to resolve the actual memory address of the function it will iterate over the export table of a particular system DLL and compare the CRC32 of the exported function name against the hardcoded one. If a match is found, Qadars saves the memory address of the function in a global variable. The malware adds a twist to this well-known dynamic API resolving method by XORing the hardcoded CRC32 values of the function names with another constant value that’s embedded in the binary itself. By employing this method, Qadars makes it a bit harder for scripts to find and annotate the actual Win32 APIs it uses.