DualToy Trojan -new windows Trojan sideloads risky apps for both iPhones and Android devices

In addition to found in traditional Windows PC malware such as process injection, modifying browser settings, displaying advertisements, DualToy also performs the following activities on Android and iOS devices:

>Downloads and installs Android Debug Bridge (ADB) and iTunes drivers for Windows
>Uses existing pairing/authorization records on infected PCs to interact with Android and/or iOS devices via USB cable
>Downloads Android apps and installs them on any connected Android devices in the background, where the apps are mostly Riskware or Adware
>Copies native code to a connected Android device and directly executes it, and activates another custom to obtain root privilege and to download and install more Android apps in the background
>Steals connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number
>Downloads an iOS app and installs it to connected iOS devices in the background; the app will ask for an Apple ID with password and send them to a server without user’s knowledge (just like AceDeceiver)

Several years ago, Android and iOS began requiring user interaction to authorize a device to pair to another device to prevent the kind of sideloading attack used by DualToy. However, DualToy assumes any physically connected mobile devices will belong to the same owner as the infected PC to which they are connected, which means the pairing is likely already authorized. DualToy tries to reuse existing pairing records to directly interact with mobile devices in the background. Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms.

Almost all samples of DualToy are capable of infecting Android devices connected with the compromised Windows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll, DevApi.dll or app.dll. Then it downloads and sets up ADB environment. Once thi sis done, DualToy will wait for an Android device to connect via USB. Once connected, it will fetch a list of URLs from the C2 server, download the apps, and install them on Android device in the background via the “adb.exe install” command.
Following apps downloaded and installed by DualToy. They’re all games which use Chinese as the default language, and none of them are available in the official Google Play store.

After successfully connecting with an iOS device, DualToy will collect device and system information, encrypt them and send to its C2 server. The collected information includes:
Device name, type, version and model number
Device UUID and serial number
Device baseband version, system build version, and firmware version
Device IMEI
SIM card’s IMSI and ICCID
Phone number
In addition to collecting device information, DualToy also tries to download IPA file(s) from the C2 server and install them on the connected iOS device. When launched for the first time, the app will ask the user to input his or her Apple ID and passwordDualtoy1
DualToy is an example of a cyber threat where the main reasons for infection are generating money through advertising. It can cause potential damage, but the target is not the computer user’s files. DualToy mainly targets China, the United States, UK, Thailand, Spain, and Ireland.
We also suggest users avoid connecting their mobile phones to untrusted devices via USB. The popularity and ubiquitous nature of mobile devices ensures malicious attackers will only continue to refine and develop new mobile malware, which means users and organizations will need to employ protection to desktops, laptops, and networks.

HDDCryptor Ransomware-rewrites a computer’s MBR (Master Boot Record)

“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152”. This message is all that remains for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system does not even start.

While most ransomware we’ve seen only target specific file types or folders stored on local drives, removable media and network shares, we were able to uncover a ransomware family that does not discriminate: HDDCryptor. Detected as Ransom_HDDCRYPTOR.A, HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.

It reaches computers after users download files from malicious websites. Crooks drop the malicious binary on the computer directly, or through an intermediary payload downloaded at a later stage.

This initial binary is named using a random three-digit number in the form of 123.exe. When executed this initial binary drops the following files in a folder on the computer’s system root:

dccon.exe (used to encrypt the disk drive)
log_file.txt (log of the malware’s activities)
Mount.exe (scans mapped drives and encrypts files stored on them)
netpass.exe (used to scan for previously accessed network folders)
netuse.txt (used to store information about mapped network drives)
netpass.txt (used to store user passwords)

To gain boot persistence, HDDCryptor creates a new user called “mythbusters” with password “123456,” and also adds a new service called “DefragmentService,” that runs at every boot. This service calls the ransomware’s original binary (the three-digit exe file). The infection process continues with dccon.exe and Mount.exe. Both these files use DiskCryptor to encrypt the user’s files. Dccon.exe encrypts files on the user’s hard drive, while Mount.exe encrypts files on all mapped network drives, even the ones currently disconnected, but that remained physically reachable.

After the encryption ends, the ransomware rewrites all the MBRs for all hard drive partitions with a custom boot loader. It then reboots the user’s computer without user interaction and shows the following message.

HDDCryptor uses disk and network file-level encryption via DiskCryptor, an open source disk encryption software that supports AES, Twofish and Serpent encryption algorithms, including their combinations, in XTS mode. It also uses DiskCryptor to overwrite the Master Boot Record (MBR) and adds a modified bootloader to display its ransom note, instead of the machine’s normal log-in screen.

With so many ransomware evolving everyday , I can not emphasize the importance of taking data back ups. Take it on external drives , on the same hard disk , take it og gooel drive or any other remote location, do whatever you can to be able to recover your data in such situations. Max Total Security for windows PCs provides very efficient data back up feature.

Overseer App-another security scare for Android users

Google has removed four Android applications from the Play Storeas they were found to be infected with a spyware trojan that harvested information about the infected devices and their users. The apps went by the name Embassy, European News, Russian News and a fourth Russian-language app that used Cyrillic script. Two of these three apps showed news items related to Russia, while the third showed news on European topics. The fourth and last app detected as infected with the spyware could be used to search for embassies around the world

These apps contained a spyware trojan named Overseer, which communicates with a remote command and control (C&C) server located on Amazon AWS, running a Facebook Parse server. All communications are encrypted via HTTPS, but researchers found traces of the malicious behavior in the app’s source code. The spyware, whenever it receives a specific command from its masters, collects a trove of data about the device and sends it back to the C&C server.

The spyware has been dubbed Overseer, and is capable of stealing “significant amounts” of personal data from users.This data includes: The user’s contacts, including name, phone number, email, and times contacted; all user accounts on a compromised device; precise location, including latitude, longitude, network ID, and location area code; free internal and external memory; Device IMEI, IMSI, MCC, MNC, phone type, network operator, device and Android information; and details of installed packages



Adwind RAT, a multi-platform remote access trojan-for Windows and Mac OSX

Adwind RAT, a multi-platform remote access trojan written in Java and that is fully functional on Windows, and partially functional on OS X. Adwind is written in Java, it is capable of infecting all major operating systems where Java is supported, including: Windows, Mac, Linux, and Android. Adwind RAT appears to be spreading as part of a spam email campaign.

It’s important to know that in order to install Adwind malware, it requires Java to be installed. By default, OS X and macOS are not shipped with Java. Therefore, to execute the file, Mac users would need to download the JRE at Oracle.com.
Furthermore, over the years Apple has added a number of security features to its Mac platform. Apple’s macOS and OS X offer built-in security features to protect users from unidentified developer files. Most Mac users are protected by restricting app downloads using secure Gatekeeper settings:

In System Preferences > Security & Privacy > General, Gatekeeper must be set to “Allow apps downloaded from Mac App Store and identified developers.” (To restrict to Mac App Store stuff only, set to “Mac App Store.”).

it’s best to exercise security awareness and caution, and to “not open suspicious email attachments,” in addition to installing an antivirus solution on your Mac.
You can also manually remove the malicious launch file, named org.yrGfjOQJztZ.plist, from your user LaunchAgents folder.

If infected, Mac users may prefer to manually remove the Java app, named BgHSYtccjkN.ELbrtQ, from the Home folder. To remove the Java app via Finder, choose Go > Go to Folder menu, enter /.UQnxIJkKPii/UQnxIJkKPii and then click Go. If it exists, you are infected: Move BgHSYtccjkN.ELbrtQ to the trash. (The files are dropped in the Home Folder. It requires a path, such as /Users/intego/.UQnxIJkKPii/UQnxIJkKPii/BgHSYtccjkN.ELbrtQ.)

To remove the Launch Agent via Finder, choose Go > Go to Folder, enter /Library/LaunchAgents and then click Go. Move org.yrGfjOQJztZ.plist to the Trash. (Example path: /Users/intego/Library/LaunchAgents/org.yrGfjOQJztZ.plist.). And your Mac is clean now.

Sophisticated Mac OS X backdoor

Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). This malware family is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes). The backdoor is also able to execute arbitrary commands on the victim’s computer. To communicate it’s using strong AES-256-CBC encryption.
It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB.

When executed for the first time, the malware copies itself to the first available of the following locations, in this order:

$HOME/Library/App Store/storeuserd

Corresponding to that location, it creates a plist-file to achieve persistence on the system. After that it’s time to establish a first connection with its C&C server using HTTP on TCP port 80. The User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html” content of 208 bytes in length. Then the binary establishes an encrypted connection on TCP port 443 using the AES-256-CBC algorithm.

Its next task is to setup the backdoor features Capturing Audio, Monitoring Removable Storage, Capturing Screen (every 30 sec.), Scanning the file system for Office documents (xls, xlsx, doc, docx).
The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system.

Just like on other platforms, the malware creates several temporary files containing the collected data if the C&C server is not available.

$TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
$TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
$TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
$TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)

Fraudulent phone calls-CallJam Android Malware

Keeping Android smartphones and tablets safe from malicious apps is a constant battle for enterprises, end users, and for Google. This malware basically racks up profit for the attackers by having your device call premium numbers. The only app through which Android users got infected with CallJam is named Gems Chest for Clash Royale. The CallJam malware is hidden inside the game “Gems Chest for Clash Royale” which was uploaded to Play in May.

CallJam shows ads inside browsers, not inside the app.Before being taken down, the app had between 100,000 and 500,000 downloads, a positive rating of 4.0. At the technical level, CallJam is more tricky than fellow adware variants because it does not intrude on the user’s gaming experience by overlaying ads. It does this by opening a browser and showing the ads there.

The app’s more deadly feature is its ability to place premium calls. Fortunately, the app needs to request permissions for this behavior, but we all know how some users just go through all the permissions popups and install whatever is presented to them.
As such, CallJam has managed to infect quite a large number of users, placing calls on their behalf, earning revenue for the crook, and creating unwanted costs for victims. CallJam redirects victims to malicious websites that generate fraudulent revenue for the attacker.

Since it deceives the users as part of its activity, the game has been able to achieve a relatively high rating. Users are asked to rate the game before it initiates under the false pretense that they will receive additional game currency. This is another reminder that attackers can develop high-reputation apps and distribute them on official app stores, putting devices and sensitive data at risk.

.flyper extension virus

Flyper is another ransomware type of virus that encrypts your files and then demands the release fee to get them back. This ransomware changes the names of encrypted files during the process of encryption, by adding .flyper extension to them. And after successful encryption of files, Flyper will create a file on your desktop with name instruction.txt, it will contain an information you need to pay the ransom.
Unfortunately, Flyper takes down a huge variety of file formats. Starting with pictures and music, proceeding with MS Office documents, presentations, videos, etc. This infection practically encrypts all the important data you have. Needless to say that by doing so, Flyper Ransomware might cause you irreversible harm. Once encryption is complete, your files are renamed. You can no longer view or use the target data.
Moreover, other high-level threats such as spyware or rootkits will be downloaded onto your PC to give you more troubles. Even if you pay the ransom money to the hacker behind .flyper extension virus, you will have rare chance to get your files back, because these scammers are never trustworthy person, they are cyber criminals making living by scamming people. Do not pay any single penny to them.
Screenshot of an image that is set as the desktop wallpaper by Flyper ransomware:
The most popular method of infecting with viruses involves spam messages. Keep in mind that sometimes hackers send malware straight to your inbox. One single click on a seemingly harmless message is all the virus needs. To prevent installation, constantly watch out for malware. This nuisance often pretends to be legitimate mail so make no mistake. Delete what you don’t trust.
As soon as the malicious file of Flyper has been activated, it may briefly freeze your computer and the opened Windows may enter “Not Responding” state.
To Remove this Virus:
STEP 1: Stop the malicious process using Windows Task Manager
Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
Locate the process of the ransomware. Have in mind that this is usually a random generated file.
Before you kill the process, type the name on a text document for later reference.
Locate any suspicious processes associated with Flyper encryption Virus.
Right click on the process
Open File Location
End Process
Delete the directories with the suspicious files.
STEP 2: Reveal Hidden Files
Open any folder
Click on “Organize” button
Choose “Folder and Search Options”
Select the “View” tab
Select “Show hidden files and folders” option
Uncheck “Hide protected operating system files”
Click “Apply” and “OK” button
STEP 3: Locate Flyper encryption Virus startup location
Depending on your OS (x86 or x64) navigate to:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
and delete the display Name: [RANDOM]
Navigate to your %appdata% folder and delete the executable files which look suspicious.

To recover your data either restore windows to the last known configuration or delete all the files .flyoer extension and restore data from Data back up and Restore software.

DressCode Android malware found in over 40 Google Play Store apps and 400 apps on third-party app stores


The malware is also infecting devices through 400 more apps in third party app stores all around the internet. DressCode App converts infected apps into proxy servers, thereby creating a botnet. Botnets are created by hackers to surreptitiously gain control over a bunch of devices. Bots can generally be used for a variety of purposes, including distributing phishing links, malware and ransomware. A botnet’s capabilities generally depends on its size, therefore, larger botnets come with more extensive capabilities. Researchers speculated that the proxied IP addresses were likely used by the hackers behind the malware to cloak ad clicks and generate false traffic, which in turn reaps profits for the hackers.

Once installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to ‘sleep,’ to keep it dormant until there’s a use for the infected device. When the attacker wants to activate the malware, he can turn the device into a socks proxy, rerouting traffic through it.

Clearly, DressCode poses a serious threat to users. Aside from stealing users’ information, some malware have had the ability to display advertisements and download unwanted applications. As a rule of thumb, they should also be extremely wary of ever installing apps from anywhere else than the official Google Play store. Max Total Security for Android .

Central Security Treatment Organization Ransomware

A new ransomware that pretends to be from a fake organization called the Central Security Treatment Organization has been discovered. It is usually dispersed by malicious email attachments. The email content employs social engineering in order to trick unsuspecting victims into downloading a file under the guise that it is something it is not. It encrypts the files on your computer, changes the name of the files, and adds .cry to the end files it encrypts. The Central Security Treatment Organizationvirus will additionally leave various note files named !Recovery_[randomized characters].html in every folder it encrypts files in. The note files contain a ransom note that explains what happened to the files and how to pay a ransom in order to acquire a key to decode the compromised files. Central Security Treatment Organization ransomware is named after the fake organization, website, and logo associated with the payment website.


This ransomware will send information about the victim to the Command & Control server using UDP. Furthermore, it will also use public sites such as Imgur.com and Pastee.org to host information about each of the victims. Last, but not least, it will query theGoogle Maps API to determine the victim’s location using nearby wireless SSIDs.

When this ransomware infects a computer it make a backup of certain shortcuts on the victim’s Windows desktop and save them in a folder on the desktop called old_shortcuts. The purpose of this folder is currently unknown. The ransomware will now encrypt the victim’s files and append the .cry extension to encrypted files. The victim’s desktop wallpaper will also be changed to a ransom note. This ransom note is the only one that contains the CryLocker assigned name.

Files associated with the CryLocker Ransomware:

Registry Entries associated with the CryLocker Ransomware:

SHA256: 33f66a95e01e2650ea47405031d4ced2ad25db971e65a92319296ccef62b7964

Network Communication:
UDP Traffic to 4095 addresses. List can be found here: http://pastebin.com/2pivX5Pg

We do not recommend paying any ransom. Scanyour PC with a good Anti virus or Total Security program such as Max Total Security to scan and remove and Ransomware and restore your files bakced up by the Data back up and Restore module included in the Max total Security product.

CryptFuck Ransomware loves Mr. Robot TV series

It seems that creativity of cyber criminals is simply endless. However, CryptFuck virus proves that they definitely know how to make nasty jokes, too. This malicious crypto-ransomware virus seems to be an improved version of FSociety virus since both viruses appear to be created by a person who loves Mr. Robot TV series. The virus encrypts all files that if finds on the computer system and plugged-in drives and also appends .URfucked file extensions to them. Then it creates and saves README_CRYPTFUCK.txt file, which is the ransom note. The ransom note includes such information:

“You have been attacked by the CryptFuck RansomWare v [version]

[Identification keys here]
If you lose your identifier, any chance of getting back your data is flushed in the toilet!!
Keep in mind that you have 72 hours to perform the payment, after that, your encrypted password would be deleted permanently!
If your browser does not open any webpage, visit this page to learn how to get back your files:
[website link]
Mr.R0b0t ”

As you can see, the ransomware author asks to access the payment site for details on how to decrypt the data. The virus asks to pay up within 72 hours; otherwise the “encrypted password” will be deleted for good. This offensively-named ransomware variant is just another virus that seeks to swindle money from computer users who do not have data backups and haven’t taken precautions to protect their computers from ransomware attack in the past. We encourage users not to pay the ransom and remove CryptFuck malware instead.

Just like any other ransomware-type virus, it is being distributed via malicious email campaigns and malvertising. You can install this malware by clicking on a malware-laden email attachment or a bogus advertisement online. To keep your computer protected, stay away from such content. Crooks put efforts into crafting professional-looking email messages, inviting users to see what’s attached to them or to open links included in the message. If the victim allows his/hers curiosity win, such malware can quickly activate itself once it gets into the computer system and corrupt victim’s data for good.

Type regedit to open Registry and remove the following registry files generated by CryptFuck virus:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]

Also check in Run location for nay suspicious executable.

Restore windows to the last known good configuration if nothing works.

You can also scan with a good Anti virus or Total Security program such as Max Total Security to scan / remove the Ransomware and restore your files bakced up by the Data back up / Restore module included in the Max Total Security product.
We also highly recommend staying away from websites that keep showing advertisements urging to install some kind of software or update supposedly outdated Java or Adobe software. Judging from our experience, we can say that modified versions of such reputable software often include malicious attachments, trojans, ransomware executive files, and so on. It is a good idea to create data backups and move them to removable storage devices so that you can use them in case a ransomware attacks your computer.