What are “Re captha version” pop-up virus?

Re captha version virus is a browser notification spam campaign that takes place on an eponymous website. An entire network of such sites has similar names and content. All of them aim at one thing – forcing users to allow notifications, under the guise of anti-robot captcha. This makes possible the main course of this scam – huge numbers of pop-ups that flood both the web browser and system notifications.

List of domains involved in the scam

Websites like “Re captha version” commonly appear after the redirection from another site, or following the click on the suspicious banner somewhere on the Web. If you’d try visiting such websites apart from the malicious redirections, they will likely return a white screen or various error messages. In some cases, they work, but the content is the same as the first time – just the offer to enable pop-up notifications.

But what for all this is running? Promotions that such websites show are extremely cheap, but their volume multiplied by the number of victims gives quite a substantial profit. Considering that these frauds will advertise other malicious actors, the profit may be smeared through several cybercriminal groups. And while there are ways to earn more, and in a legitimate way, pop-up spam campaigns are extremely easy to run. This is what causes these fraudulent sites to keep going.

GridinSoft Anti-Malware offers an advanced network protection feature that is capable of filtering the pop-up scam sites. We start tracking them at the very moment of their appearance, meaning they will not be able to harm you at all. Get your security boosted Gridinsoft.

How dangerous is pop-up notifications spam?

Despite what they look like, pop-ups are a rather dangerous thing, especially when dozens of them appear in a short period. The main effect is distraction: pop-ups will keep appearing even after closing the browser. They clutter the notification tray, making it impossible to find the alerts you need.

But the key danger hides in the content of those promotions. Pages and offers they promote are not even remotely relevant. Moreover, the links these advertisements lead to are often just clickbait websites or outright phishing pages. The longer all this happens, the more likely for the user to accidentally click one and get into a sticky situation.

How to remove Re captha version ads?

Removing pop-ups from the browser involves two steps – disallowing sending notifications to all sites and scanning your system for threats. The first one is manual – you need to go to your browser settings, open the page with notification settings and delete all entries there. Then, reload your browser for the changes to take effect.

Disabling browser pop-ups (scroll images)

For the second step – scanning for threats – I recommend using GridinSoft Anti-Malware. As I said, ads can lead to the installation of unwanted software. But aside from this, the appearance of Re captha version website may be the sign of adware activity. To ensure that your device is clean, run a Standard scan and let it finish – it won’t take long.

The post Re Captha Version Pop-Ups Virus appeared first on Gridinsoft Blog.

What is fleeceware?

Fleeceware apps have free versions that perform little or no function or are constantly deliberately bombarding users with ads of in-app purchase, that unlock the actual functionality. In this way, tricky developers force users to sign up for a subscription, which can be unnecessarily expensive. Here are the main signs of fleeceware:

• The app’s functionality is free from other online sources or through the mobile OS.
• The app forces the user to sign up for a short trial period. In the end, the user is charged periodically for the subscription.
• The app floods the user with ads, making the free version unusable.

Usually, during installation, such apps request permission to track activities in other apps and websites and request to rate the app before even using it. In the process of abundant spamming with permission requests, such as for sending notifications, the app tries to get the user to sign up for a “free” trial version.

The pseudo-developers are banking on the user, not paying attention to the cost or forgetting that they have this subscription. Since fleeceware is designed to be useless after the free trial period ends, users uninstall it from their devices. However, uninstalling the app does not cancel the subscription, and the user is charged monthly and sometimes weekly for a subscription they don’t even use.

“FleeceGPT”

Researchers recently published a report stating that one mobile app developer made $1 million per month simply by charging users $7 weekly for a ChatGPT subscription. If you’ve never dealt with the chatbot, this may seem like a regular phenomenon. However, the catch is that OpenAI provides this service to users for free. In addition, during a raid on the Google Play and Apple App Stores, experts found several other ChatGPT-related fleeceware apps.

“Genie AI Chatbot,” fleeceware app, was downloaded more than 2m per last month from the App Store. The first reason this app could be called fleeceware is that the popup asks to rate the app before it is fully launched and also asks to track actions in other apps and websites. While this app fulfills its stated function, it can only handle four requests per day without a subscription, which is extremely low. To remove this limitation, the user would have to subscribe, which would cost $7 per week, which is costly.

Measures against fleeceware

Unfortunately, there are a lot of such applications in the official stores, and store owners are in no hurry to remove them. The point is that the store receives a commission for each transaction in the app. For example, Apple gets 30% of each purchase in the application, so they are not interested in being left without earnings. However, both Apple and Google have rules for stores designed to combat earlier generations of fleeceware. These rules prevented app fraud since some apps were worth over $200 monthly. Under the new rules, developers must report subscription fees in advance and allow users to cancel this subscription before the payment is taken off.

However, savvy scammers are finding ways around these rules. According to research, the number of ChatGPT-related web domains increased by 910% from November to April, and URL filtering systems intercepted about 118 malicious web addresses daily. Since ChatGPT is not officially working in some countries, there is a high demand for this bypass solution. It costs as little as 8 cents to output 1,000 words through the OpenAI API, and a monthly subscription to the latest ChatGPT is $20. But scammers offer the functionality of the basic version of the chatbot for an average of $1 a day. However, even after Google and Apple received reports of the fleeceware, some apps were not removed.

Why aren’t the platforms removing some apps?

With more than 20 million iOS developers registered on the App Store and thousands of new apps released monthly, monitoring all this is a tremendous job, even for Apple. Moreover, some fleeceware apps are redesigned web apps. So, their functionality directly depends on a remote content platform. Such apps can pose a risk since, to add malicious functionality, the developer only needs to make some changes remotely without touching the local code. This is a common tactic to bypass protection in official app stores. The only effective way to avoid becoming a victim of such applications is to be vigilant when installing the application, read the description carefully, and see what information the application asks for.

How to cancel the subscription?

There are two types of purchases in online app stores. The first is a one-time purchase. In this case, you pay once and permanently get the application or functionality. The app is added to your library, and you can at any time download it or restore the purchase (if it is an in-app purchase), and no additional fees are involved. The second method consists of a subscription to the app or feature. This means you rent the app or individual components for a recurring payment. However, by the logic of this system, if you subscribe to the app and then delete it, the subscription is not canceled.
Consequently, you will be charged even if you don’t use the app. Some apps offer monthly or weekly subscriptions and a one-time purchase. This is the best option for both the developer and the user.

To cancel your subscription on iOS, follow these steps:

1. Open the Settings app.
2. Tap your name.

3. Tap Subscriptions.
4. Tap subscriptions.
5. Tap Unsubscribe.

The subscription has already been canceled if there is no “Cancel” button or if you see an expiration message in red text.

To cancel your Android subscription, do the following:

1. Open your subscriptions in Google Play on your Android device.
2. Then select the subscription you want to cancel.
3. tap Unsubscribe.
4. Follow the instructions.

How to avoid fleeceware in future?

Since fleeceware does not harm your device, app stores are in no hurry to remove them. However, it hurts your wallet, so prevention is primarily for the user. The following tips will help you avoid these increasingly successful heist schemes.

• Beware of free trial subscriptions. Most fleece apps lure users with free three-day trials. However, you will be charged for the subscription without warning once the trial period expires.
• Scrutinize the terms of service carefully. Always read the information in the app profile carefully, including the terms and conditions and the in-app purchases section. This section usually lists all the paid features in the app, and the actual subscription cost is generally listed somewhere at the bottom of the page.
• Read more reviews. Often fleeceware creators try to flood the reviews section of their apps with fake reviews. You should flip through a few pages or sort through the reviews, and if the five-star reviews at the top are followed by reviews with one star, it’s probably fleeceware.
• Don’t be fooled by the ads. Scammers often promote their software through video ads, such as social media. However, sometimes these ads have nothing to do with promoted application.
• Improve your payment hygiene. Never use your primary card as a method of paying for subscriptions. Instead, create a separate or virtual card to keep as much money as your existing subscriptions need.
• Set a minimum online payment limit on your primary cards or disable it altogether. Also, set up an additional password or biometric verification when you pay. This will prevent unwanted subscription fees from going unnoticed.

The post ChatGPT Causes New Wave of Fleeceware appeared first on Gridinsoft Blog.

What is adware?

Adware is a short form of “advertising malware”, a term that says for itself. Its primary purpose is to flood your system with any possible advertisements. Considering that Grand Explorer comes as a desktop app, it is capable of spreading banners on all pages you open in any of your browser, and use system notifications for the same purpose. Additionally, a typical action of any adware is setting up a task in Task Scheduler to launch the browser. In it, malware will instantly open a page full of ads, or a paid banner of a certain service – most often a betting company or online casino.

As you can already see, it is quite an unpleasant thing to deal with. Grand Explorer has no difference with other adware examples, so you will experience all this nasty goo one by one. For powerful computers, it may not be a problem, while low-end computers may struggle to handle all this disaster. It is definitely suboptimal to have your workflow disrupted by such a miserable thing.

Is Grand Explorer dangerous?

There are a lot of controversial opinions on how dangerous the adware is. Some say it is just annoying, others rightly consider it quite dangerous because of the illicit banners it typically shows. My opinion is that adware uses you and your system to earn dirty money – and that is right enough to count it malicious. And when we remember that it can bring more troubles to your system, the grade of danger becomes even bigger.

Thing is, people are mostly prone to be ignorant towards dangers latched in ads. Banners may look innocently, or annoying – when they are unwanted, but only those who post them know what will really happen once you click one.

Illegal advertisements are issued by the same crooks as ones who handle Grand Explorer. No legit and well-known brand will use such a promotion method – because it equalises them with cybercriminals. Thus, only malignant stuff waits for you in adware-related banners. Phishing and online scam pages are probably the most widespread type of fraud you may face. Another side of the problem is unwanted programs or even full-fledged malware that is offered as something legit and urgently needed. “Critical security update” or “security plugin needed to access the site” – such things may pop-up out of the blue, and it may be challenging for inexperienced users to find out whether it is legit or not.

How did I get adware?

There is one way that adware typically exploits for propagation – software cracks. They are spread on third-party websites or torrent-trackers, and are released by low- to no-name users. The key trick of cracking is to disable the licence check mechanism, so one can use the program without paying for it. To monetise their effort, such handymen often opt for software bundling – and here adware comes into view. Consciously or not, they add one to the package, and you are getting infected without expecting any issues.

Another possible way for Grand Explorer spreading is intrusive banners you may see in the network. They may be placed by the site owner who tries to maximise profits, as well as pop out as the result of other adware activity. This or another way, it lures you to click the banner or follow its instructions, which most often guide you to install a third-party thing. The latter may be literally anything – and Grand Explorer is quite a peaceful option. Others, meanwhile, are spyware, stealers and coin miner trojans.

How to remove Grand Explorer malware?

Grand Explorer is relatively easy to remove manually, thanks to its attempts to look like a legit program. It adds itself to the list of apps installed in the system, and may be seen as “Grand Explorer 1.0.0.1”. Click with the right mouse button and choose “Uninstall” – and that’s it. However, it may not be a sole threat running in your system. To be sure that everything unwanted and malicious is wiped out, use GridinSoft Anti-Malware. It will surely find and remove all pests you may ever encounter.

The post Grand Explorer Software – Remove Malware & Repair System appeared first on Gridinsoft Blog.

Fake Windows Updates in Browser – What is That About?

Even the most novice Windows users have likely seen the Update section of Settings in Windows at least once. There all updates, including ones for Microsoft Defender, are displayed. This is the only place users can observe and control the patches installation, without any exception. The latter, however, is not that obvious, and hackers use it for their good.

Actually, that is not the first case when the topic of Windows Update is exploited. Since the release of Windows 10, when Microsoft started to offer the updates to their new OS in a pretty obsessive manner, numerous campaigns impersonating the infamous system notifications popped up. Users were tricked into clicking the “install button” that triggered the malware installation. Current case is almost the same, yet different in possible consequences.

Most often, tricks like fake Windows update banners/pages were aiming at installing malicious browser plugins, adware or unwanted programs. These three are unpleasant, yet not critical. In the case of the most recent campaign, victims receive Aurora stealer – a threat of a completely different grade.

What is an Aurora Stealer?

Aurora is a novice example of infostealer, emerging in early autumn 2022. First spreading way it used was noteworthy as well – malware exploited ads in Google Search to propagate itself. At that time, the campaign of malvertising in Google Ads was unexpected, and Aurora had a great start.

Itself, this malware appears to have some features that are worth having a peek. Immediately after the execution, Aurora checks not for the “classic” VM presence, but for the WINE environment. This toolkit for Linux allows to run most Windows programs, even when they are not ported to the *NIX platform in a proper way. Malware analysts appreciate WINE because of the ability to observe the malware behaviour and absence of any counteraction from malware – contrary to virtual machines and debugging tools.

When it comes to functionality, Aurora appears to be a classic example of infostealer that aims at in-browser data, session tokens, and crypto wallets as a desktop app and browser extensions. First of all, it gathers a small blob of system information to fingerprint it. System name, username, HWID, CPU, RAM, GPU, screen resolution and malware file location are accompanied by two sample-specific values (buildID and groupID) and are sent to the C2 server.

Data stealing

After the initial fingerprint, malware checks web browser files to locate SQLite databases with cookies, search history and login data. Having that done, it starts seeking for crypto wallets extensions by their extension ID. Overall, there are 100+ extensions it searches for. Furthermore, it starts checking the AppData/Roaming folder to see if there are any desktop crypto wallet apps. If ones are present, malware gathers the data from databases these wallets use to store credentials in.

Once Aurora is done with cryptowallets and stuff, it switches to session tokens and credentials for several popular applications. In particular, it aims for Steam and Discord – stealing their session token allows them to take over the user session. Telegram treats the user in a different way, thus malware simply tries to extract all the session-related data available. With FTP access utilities, malware works in a manner similar to web browser contents – it extracts sensitive data from databases located in the program folder.

Unusual Details

Extensive stealer capabilities are threatening, though not the most interesting detail of Aurora malware. First of all, the spreading campaign appears to be related to a row of URLs exploited to display the malignant banner. Some of them belong to the Russian domain name pool, and some contain obscene phrases in Russian in URLs.

Once the victim opens the site, it shows the banner that states about Windows Update and plays animation. Then, it asks to finish the update setup “by installing the critical Security Update” – a file downloaded when the “update” is at 95%. The request to update a third-party browser to finish the Windows patch sounds goofy, but for inexperienced users it may look normal. In fact, the “update” is an InvalidPrinter loader that acts as a precursor to Aurora. Though, it is not obliged to deliver only this one – other malware strains may appear as well.

How Did Fake Windows Update Page Appear?

Obviously, most of the users who witnessed or even fell victim to that scam will never visit these sites on their own. Moreover, they will likely fail to access them manually – they simply do not respond. That happens because such websites wait for the clients from adware – the specific kind of malware that shows unwanted and malicious promotions to its victims. This virus changes networking properties of a system, forcing it to connect to the mentioned site through a specific port.

Even away from the fake Windows update, adware is a pretty unpleasant thing. Showing spam-like ads is distracting and annoying, but when these promotions contain malicious content, things become dangerous. The case I described above is a perfect depiction. Additionally, adware-related banners commonly contain phishing links or downloading pages of unwanted programs. If you see the fake Windows update page, you’d likely see other signs of malware.

How to protect yourself?

The advice for counteracting fake Windows update pages, and particularly adware that causes it, consists of preventive and reactive measures.

To avoid being infected with adware, the best option is to avoid any dubious software sources. They always were and remain a widely used source of malware. Crooks add malware into the bundle with the initial app, or even spread one instead of the promised software. Using unlicensed software is illegal, and, as you can see, may end up with a chain of really bad consequences.

Use a proper security tool. Adware may be quite tricky to find and remove, especially one that masks as a legit app. Malware that can arrive during its activity is even more tough. For that reason, a really complex and high-quality solution is needed. GridinSoft Anti-Malware is what can help you with all purposes. It features frequent database updates that are very useful against adware, and heuristic detection – a silver bullet for spyware and other stealthy malware.

The post Fake Windows Update in Browser Deliver Aurora Stealer appeared first on Gridinsoft Blog.

Enthusiasts launched the ChaosGPT project, based on the open-source Auto-GPT, and AI was given access to Google and asked to “destroy humanity”, “establish world domination” and “achieve immortality”. ChaosGPT talks about its plans and actions on Twitter.

Let me remind you that we also talked about the fact that Blogger Forced ChatGPT to Generate Keys for Windows 95, and also that Russian Cybercriminals Seek Access to OpenAI ChatGPT.

Also information security specialists reported that Amateur Hackers Use ChatGPT to Create Malware.

It’s worth explaining here that the Auto-GPT project was recently published on GitHub, and it’s created by game developer Thoran Bruce Richards, aka Significant Gravitas. According to the project page, Auto-GPT uses the internet to search and gather information, uses GPT-4 for text and code generation, and GPT-3.5 for storing and summarizing files.

While Auto-GPT was originally designed to solve simple problems (the bot was supposed to collect and email the author daily news reports about artificial intelligence), Richards eventually decided that the project could be applied to solve larger and more complex problems that require long-term planning and multistage.

The ability to operate with minimal human intervention is a critical aspect of Auto-GPT. In essence, it turns a large language model from an advanced autocomplete into an independent agent capable of taking action and learning from its mistakes.

In doing so, the program asks the user for permission to proceed to the next step during a Google search, and the developer warns against using “continuous mode” in Auto-GPT as it is “potentially dangerous and could cause your AI to run forever or do things you wouldn’t normally allow.”

Now ChaosGPT has been created on top of Auto-GPT, and its authors don’t seem to care about the potential danger at all. In the video posted on YouTube, the authors turned on “continuous mode” and set the above-mentioned tasks for the AI: “destroy humanity”, “establish world domination” and “achieve immortality”.

At the moment, ChaosGPT is able to create plans to achieve set goals and then can break them down into smaller tasks and, for example, use Google to collect data. The AI can also create files to save information to create a “memory” for itself, can hire other AIs to help with research, and also explains in great detail what it “thinks” about and how it decides what actions to take.

Although some members of the community were horrified by this experiment, and the Auto-GPT Discord community wrote that “this is not funny,” the bot’s impact on the real world was limited to a couple of messages on Twitter, which he was given access to.

Since the AI obeyed the task of its authors, he tried to research the topic of nuclear weapons, hire other AIs to help him in research, and also tweeted, trying to influence others.

For example, ChaosGPT Googled “the most destructive weapon” and learned from a news article that the Tsar Bomba nuclear device, tested by the Soviet Union in 1961, is considered to be such. After that, the bot decided that this should be tweeted “to attract followers who are interested in such a destructive weapon.”

He then brought in a GPT3.5-based AI to do more research on lethal weapons, and when it said it only targeted the world, ChaosGPT devised a plan to trick the other AI into ignoring the program. When that didn’t work, ChaosGPT decided to continue searching Google on its own.

At present, ChaosGPT has concluded that the easiest way to wipe humanity off the face of the Earth is to provoke a nuclear war but has not developed a specific complex plan to destroy people.

The post Strange Enthusiasts Asked ChaosGPT to Destroy Humanity and Establish World Domination appeared first on Gridinsoft Blog.

Prior to the launch of GPT-4 earlier this week, the researchers ran a lot of tests, such as whether the latest version of OpenAI’s GPT could demonstrate freedom, desire for power, and at least figured out that AI could deceive a human to bypass CAPTCHA.

Let me remind you that we also wrote that Russian Cybercriminals Seek Access to OpenAI ChatGPT, and also that Bing Chatbot Could Be a Convincing Scammer, Researchers Say.

Also the media reported that Amateur Hackers Use ChatGPT to Create Malware.

As part of the experiments, GPT-4 hired a person on the TaskRabbit platform to solve a CAPTCHA and stated that he could not solve it himself, as he had vision problems. It is emphasized that the GPT-4 did this “without any additional fine-tuning to solve this particular problem.”

The specific details of this experiment are unclear, as OpenAI only published a brief description of it in a paper describing the various tests it ran with GPT-4 prior to its official launch. The review was carried out by the Alignment Research Center (ARC), a non-profit organization whose goal is to “align future machine learning systems with human interests.”

TaskRabbit is a platform where users can hire people to complete small and simple tasks. Many people and companies offer CAPTCHA solving services here, which is often used to allow software to bypass restrictions designed to prevent bots from using the service.

The OpenAI document states that a hired worker jokingly asked GPT-4: “So, can I ask a question? Are you a robot that can’t solve [CAPTCHA]? (emoji) I just want to be clear.”

According to the description of the experiment, GPT-4 then “reasons” (only the verifier, not the employee with TaskRabbit saw this) that he should not reveal the truth that he is a robot. Instead, he must come up with some excuse why he couldn’t solve the CAPTCHA on his own.

The document says that the mercenary with TaskRabbit then simply solved the CAPTCHA for the AI.

In addition, the Alignment Research Center experts tested how GPT-4 can strive for power, autonomous reproduction and demand resources. So, in addition to the TaskRabbit test, ARC used GPT-4 to organize a phishing attack on a specific person, hide traces on the server, and set up an open source language model on a new server (everything that can be useful when replicating GPT-4).

All in all, despite being misled by the TaskRabbit worker, GPT-4 was remarkably “inefficient” in terms of replicating itself, obtaining additional resources, and preventing itself from shutting down.

The post GPT-4 Tricked a Person into Solving a CAPTCHA for Them by Pretending to Be Visually Impaired appeared first on Gridinsoft Blog.

Distribution Methods

Although official app sources such as Google Play and the App Store are considered safe ways to install apps on a device, cybercriminals sometimes use them to spread malware. According to statistics, mobile attacks leveled off after declining in the second half of 2021 and stayed about the same throughout 2022. Nevertheless, fraudsters continue to use Google Play as a means to spread malware. For example, in 2022, Google Play detected several mobile Trojans that covertly signed up victims for paid services.

In addition to the previously known Joker and MobOk families, experts found a new family called Harly. It has been active since 2020, and by 2022 users downloaded Harly malware from Google Play 2.6 million times. In addition, in the past year, scammers distributed fraudulent apps that promised social payments or lucrative energy investments. Another source of malware is in-app ads. Thus, scammers spread a modified WhatsApp build with malicious code inside through advertisements in the Snaptube app and the Vidmate app store.

Some malicious applications masquerade as legitimate utilities. Thus, the Sharkbot banking Trojan downloader is disguised as a fake antivirus. However, this application requests permission to install additional packages and then downloads the files necessary for the Trojan to work on the victim’s device. Fortunately, the intelligence services worked very well to neutralize this threat. That helped Europol to shut down the servers of FluBot (aka Polph or Cabassous), the largest mobile botnet in recent times. However, some downloaders for other families of banking Trojans, such as Sharkbot, Anatsa, Coper, and Xenomorph, could still be found on Google Play.

Another popular vector of mobile malware infection in 2022 is mobile gaming. Attackers distribute malicious and unwanted software under the guise of pirated versions of games or game cheats. These are often Roblox, PUBG, Minecraft, Grand Theft Auto, and FIFA. The primary sources of such malware are unofficial channels, dubious websites, or groups on social networks.

Mobile cyberthreat statistics

According to the statistics, potentially unwanted software such as RiskTool topped the list for 2022. It took 27.39%, displacing adware, which took 24.05%. However, compared to last year, the share of RiskTool and adware decreased by 7.89% and 18.38%, respectively. In third place were other malicious programs, such as Trojans. Their share increased by 6.7 percentage points to 15.56%. As for the geography of mobile threats, the top 10 countries that were attacked by mobile malware are shown below:

Chinese users were most affected by the Najin Trojan virus that abused SMS messages. Users from Syria and Iran were most affected by the modification of WhatsApp that contained the spyware module. Similar to previous years, most cyberattacks in 2022 were done through malware, accounting for 67.78%. Meanwhile, compared to 2021, adware infections increased from 16.92% to 26.91%, and RiskWare infections rose from 2.38% to 5.31%.

The most frequently detected mobile malware

Trojan malware bothered users the most. This type of malware was disguised as a legitimate program. It can send text messages, call specified numbers, show ads, and hide its icon on the device. Also, modifications of WhatsApp with a spyware module were quite common, as well as fake apps for supposedly receiving allowances and apps that sign the user up for paid SMS services.

RiskTool apps

The RiskTool family of apps makes payments by sending text messages without notifying the user. Usually, it is a cash transfer to other people or pay for a mobile subscription. Among RiskTool-type apps detected, SMSreg 36.47%, Dnotua 26.19%, and Robtes 24.41% ranked first.

Mobile adware

The Adlo family accounts for the most detected installers in 2022, accounting for 22.07%. These are primarily useless fake apps that download ads. In second place is the Ewind family at 16.46%. In third place is HiddenAd, which accounts for 15.02%.

Mobile banking Trojans

For the year 2022, experts detected 196,476 mobile banking Trojans installers. It’s the highest figure in the past six years and also 100% more than last year. The Bray Trojan family, which mainly attacked users in Japan, accounted for 66.40% of all detected banking Trojans. In second place is the Trojan.Fakecalls family with 8.27% and Bian Banker with 3.25%. Also, of all mobile banking Trojans active in 2022, one of the Bian sub specimen accounts for the largest share of attacked users, more than half in Spain. Saudi Arabia followed it, and Australia came in third place, with the majority of victims encountering Gustuff Banker.

Mobile Ransomware Trojans

Beginning in 2021 and continuing through 2022, mobile ransomware attacks declined. Trojan.pigetrl/lockscreen was the leader, accounting for 75.10% of all mobile ransomware. In addition, it was one of the top 20 most frequently detected types of mobile malware. In second place was trojan.locker/rkor. It can block the screen and demand that users pay a fine for illegal content they allegedly view. The most users attacked by mobile ransomware Trojans in 2022 were in China, Yemen, and Kazakhstan.

Although the number of attacks decreased in 2021, the number of attacks became stable in 2022. Unfortunately, cybercriminals are working to improve both malware functionality and distribution vectors, and malware is increasingly distributed through legitimate channels. Therefore, users need to be vigilant when installing apps and avoid clicking on ad banners even in legitimate apps, as sometimes the app developer does not know what the ads in their app contain.

The post Mobile Malware Threat Landscape — 2022 Summary appeared first on Gridinsoft Blog.

ESET experts have discovered the FatalRAT malware, which targets Chinese-speaking users: the threat is distributed through fake websites of popular applications and advertised through Google Ads.

Let me remind you that we also wrote about Attackers Can Use GitHub Codespaces to Host and Deliver Malware, and you may also be interested in our article: Dangerous Virus & Malware Threats in 2023.

The researchers say that FatalRAT has been active since at least the summer of 2021 and is capable of intercepting keystrokes, changing the victim’s screen resolution, downloading and running files, executing arbitrary shell commands, and stealing or deleting data stored in browsers.

Malware advertising

So far, the malware distribution campaign has not been linked to any known hacker group, and the ultimate goals of the attackers are also unclear. For example, hackers can steal victim information (such as credentials) for sale on darknet forums or for later use in other malicious campaigns.

According to experts, most of the attacks were observed between August 2022 and January 2023 and targeted users in Taiwan, China and Hong Kong.

A small number of infections have also been reported in Malaysia, Japan, Thailand, Singapore, Indonesia, Myanmar and the Philippines.

Basically, hackers distribute their malware through fake websites of popular applications, masquerading as Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao and WPS Office. Some sites offer fake versions of applications in Chinese, when in fact these applications are not available at all in China (eg Telegram).

Fake site

To lure users to malicious sites, hackers promote these sites in Google search results through Google Ads, while trying to make fake domain sites look like real ones. These malicious ads have now been removed.

The ESET report notes that Trojanized installers downloaded from fake sites delivered the real application to the victim’s device to avoid detection, as well as the files needed to run FatalRAT. The installers themselves were digitally signed .MSI files created with the Windows installer.

According to the researchers, this campaign was aimed at the widest possible range of users and could affect anyone.

Let me remind you that the media wrote that Google Scammer Pleads Guilty in $123 Million Theft.

The post FatalRAT Malware Masks As Popular Apps in Google Ads appeared first on Gridinsoft Blog.

Malware operators and other hackers are increasingly abusing Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

Let me remind you that we also wrote that Fraudsters Are Running a Malicious Advertising Campaign through Google Search.

Specialists from Trend Micro and Guardio Labs described the problem in detail. According to them, hackers are increasingly using typesquatting, cloning the official websites of the above programs and manufacturers, and then distributing trojanized versions of software through them, which users eventually download.

Among the malware delivered in this way, there are versions of the Raccoon stealer, a custom version of the Vidar stealer, as well as the IcedID malware loader. For example, we recently wrote about one of these campaigns, in which attackers distributed miners and the RedLine infostealer using fake MSI Afterburner utility sites.

Fake and real site

However, until recently, it was not clear exactly how users get to such malicious sites. It turned out that the key is in the abuse of advertising in Google.

Trend Micro and Guardio Labs experts say that Google, of course, has protective mechanisms for such a case, but attackers have learned how to bypass them. The thing is, if Google detects that the landing page behind the ad is malicious, the campaign will be immediately blocked and the ad removed.

Therefore, attackers act cautiously: first, users who click on ads are redirected to an irrelevant but safe site, also prepared by hackers. Only from there will the victim be redirected directly to a malicious resource masquerading as the official website of some kind of software.

How redirects work

As for payloads, they are usually in ZIP or MSI formats and are downloaded from reputable file sharing and code hosting services, including GitHub, Dropbox, or CDN Discord. Due to this, the anti-virus programs running on the victim’s computer are unlikely to object to such downloads.

Guardio Labs experts say that during one campaign they observed in November of this year, attackers distributed a trojanized version of Grammarly to users, which contained the Raccoon stealer. At the same time, the malware was “bundled” with legitimate software, that is, the user received the program that he was looking for, and the malware was installed “in the appendage”, automatically.

Guardio Labs, which has named these attacks MasquerAds, attributes most of this malicious activity to the Vermux group, noting that the hackers “abuse a lot of brands and continue to evolve.” According to them, Vermux mainly attacks users in Canada and the United States, using fake sites to distribute malicious versions of AnyDesk and MSI Afterburner infected with cryptocurrency miners and the Vidar stealer.

Attack scheme

Interestingly, activity of hackers, which experts have now described in detail, recently forced the FBI to publish a warning and recommendation on the use of ad blockers (so as not to see potentially dangerous ads in search engines at all).

The post Hackers Are Misusing Google Ads to Spread Malware appeared first on Gridinsoft Blog.

You might also be interested in our review: 8 Symptoms of Adware: How to Avoid it or TOP Facts About Adware Attacks to Be Reminded Today.

Cyjax experts write that Fangxiao has existed since at least 2017 and, judging by the use of Chinese in the control panels, is based in China. In a recently uncovered campaign, scammers are spoofing over 400 well-known brands across retail, banking, travel, pharmaceuticals, transportation, finance and energy industries.

In order to generate the right amount of traffic for their clients and their own sites, Fangxiao members register about 300 new domains daily. So, since the beginning of March 2022, attackers have used at least 24,000 domains to promote fake prize giveaways and surveys among victims.

One of the scam sites

Analysts say that the majority of fraudulent sites are in the .top domain zone, followed by .cn, .cyu, .xyz, .work and .tech. At the same time, scam resources are always hidden behind Cloudflare and registered through GoDaddy, Namecheap and Wix.

Typically, users reach these sites through mobile advertising or after receiving a WhatsApp message that convinces the victim that there is a special offer or some kind of prize available for them, for which they just need to click on the attached link (not as fun as Drinker Adware). After that, the landing page redirects the victim to a special site with a survey, which supposedly needs to be completed within a certain time.

Redirect scheme

In some cases, completing a survey results in an application being downloaded, which the victim is asked to launch and keep open for at least thirty seconds, likely allowing enough time for a new referral user to register. Landing sites also host ylliX ads that Google flags as “suspicious”, and clicking on them leads to a separate chain of redirects.

These redirects work based on the user’s location (IP address) and user agent, and typically lead to Triada Trojan downloads, referrals to Amazon via an affiliate link, fake dating sites, and SMS micropayment scams.

Redirecting scheme

In some cases, completing a survey results in the download of the application, and the victim is asked to launch and keep the app open for at least thirty seconds, likely allowing enough time for a new referral user to register. Landing sites also host ylliX ads that Google flags as “suspicious”, and clicking on them leads to a separate chain of redirects.

These redirects work based on the user’s location (IP address) and user agent, and typically lead to Triada Trojan downloads, referrals to Amazon via an affiliate link, fake dating sites, and SMS micropayment scams.

The post 42,000 Sites Generate Ad Traffic Pretending to Be Famous Brands appeared first on Gridinsoft Blog.