What is PUABundler:Win32/CandyOpen?

As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with unwanted programs. It was developed back in the late 2000s as a way to monetize free applications by adding some advertised content along with the main installation. But as the overall functionality of the app allowed for more extensive and intrusive changes, foul actors began misusing it.

The way this misuse was happening made the major cybersecurity vendors consider OpenCandy a malicious program. It is capable of changing browser settings by itself, and the additional programs it usually install can inject unwanted ads into pages, modify the web browser even more, and do similar dirty things. So having one to run in your system means a browser full of ads, pop-up advertisements flooding both system and browser, and unwanted programs getting installed. Not to mention potential data stealing, that the Win32/CandyOpen is capable of – read on to see the details.

To sum up, a PUABundler:Win32/CandyOpen detection means a malware that delivers unwanted programs and is capable of messing up your system on its own. But to have a more detailed look and a better understanding of this thing, let’s analyze it by running it on a virtual machine.

CandyOpen Malware Analysis

Finding the appropriate CandyOpen sample was rather easy. To be clear, it does not behave like straightforward malware on the surface. You can find it in the list of installed apps; there is even an option to disable additional installations in the menu. But the actions it does to the system once it is launched are quite unambiguous.

As you allow the thing to run under admin privileges, all further actions it does are done without your confirmation. You will speechlessly spectate various shortcuts to appear on your desktop, and your browser will go mad with pop-ups and redirects. As soon as CandyOpen runs in the system, it starts with changing the browser properties, particularly the search engine and start page. Then, it requests the list of unwanted programs to install from the command server, and proceeds with the installation.

Here goes the main concern: while CandyOpen usually installs junk apps that are not outright malicious, nothing stops it from installing malware. Still, the sheer volume of troubles it already brings to your system is enough to say that this should not run in your system.

List of PUA OpenCandy actions:

That is the comprehensive collection of CandyOpen actions, things done by the majority of widespread samples. The particular sample you may find can have only a part of these functions or even go beyond it. Con actors who use it for monetization can alter the CandyOpen in many ways, so it better fits their purposes.

How to remove PUABundler:Win32/CandyOpen?

Removing Win32/CandyOpen is possible manually, but I’d recommend you use anti-malware software. This will speed up the process and make it much easier for you. Also, manual removal makes it nearly impossible to find and remove unwanted or malicious programs present in the system.

GridinSoft Anti-Malware is a program that will remove CandyOpen in no sweat. It will also find and remove all the additional junk OpenCandy can bring.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/CandyOpen (PUA OpenCandy) appeared first on Gridinsoft Blog.

Hellminer malware has a potential to attack a wide range of devices, from IoT to server clusters. The final target of its activity is bringing profit to its masters with the use of your hardware. Ignoring the activity of this malicious program may lead to premature hardware failure and overall performance deterioration.

Modern malware samples often come in packs, meaning that one thing may signify the presence of several others. Do not hesitate with removal: scan your device with GridinSoft Anti-Malware and remove all the threats in one click. Get your system cleaned up.

What is the Hellminer.exe process?

This is a process associated with a malicious coin miner. Such malware aims at exploiting the system’s hardware to mine cryptocurrencies, mainly DarkCoin and Monero. To maximize profits, hackers who stand behind this malware establish huge networks of infected computers. Hellminer takes up to 80% of CPU power in order to get substantial mining performance, making the system sluggish and uncomfortable to use.

Malicious miners like this one typically get into the user systems through malvertising on the Web, or with the use of dropper malware. Both spreading ways though are commonly used by other malware, which means the risk that Hellminer is not the only infection running in the system.

This malware appears to be different from other miners, as it is not based on XMRig, a popular open-source mining software. Instead, it appears to be written in Python, and is likely a private development. Let’s check out other interesting stuff I’ve found during the analysis.

Hellminer Malware Analysis

It is not completely clear how Hellminer gets into the system; I suspect it is not much different from how malware miners typically spread – via dropper malware and malvertising. After the launch, the malware begins with a selection of anti-VM and anti-debug checks.

Using the calls to WMI, it gets the info about the CPU, trying to find any signs of virtualization. Why I don’t think it is just an immediate info gathering is because the very next step is listing the services and processes. Hellminer specifically seeks for traces of the VMWare virtualization environment. After these checks, the main payload is unfolded. Though, malware may as well use the info collected at this stage, to configure the mining process or as a part of the system fingerprint.

wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list

Fingerprinting starts with another call to WMIC, wmic os get Version. Malware attempts to receive quite a basic, if not scarce, set of data – just the info about the operating system. After that, malware gains persistence through the manipulation with another command and series of changes in Windows registry.

%windir%\System32\svchost.exe -k WerSvcGroup – starting Windows error reporting service to make it run the malware. This increases the level of privileges the malicious program has, also providing it with a disguise.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security – changing network security policies.

The final round of persistence involves another call to WMI, specifically to its Adaptation Service. Hellminer forces it to recursively launch the payload, ensuring continuous execution. This specific command is also a part of resource allocation for the mining process.

wmiadap.exe /F /T /R

Command Server Connectivity

Same as other malware miners, Hellminer does not have any extensive C2 communication. After finishing the steps from the above, it sends the blob of system information to the command server, effectively notifying it about the readiness. C2 returns the configuration file, which specifies the mining pool and the IP address to connect to.

Still, there is a thing that catches an eye – the form of command servers used by this malware. They do not look like C2 of a classic model, instead being a peer-to-peer one. In such a network, the role of a command server is given to one of the infected computers. “Real” server sporadically communicates with one, retrieving the information about the new devices and assigning the next system to get the C2 role. This drastically increases the sustainability of the network, making it particularly hard to disrupt through the command server disruption.

During the analysis, I’ve detected these command servers:

• 20.99.184.37:443
• 20.99.186.246:443
• 23.216.147.64:443
• 192.229.211.108:80
• 20.99.133.109:443

Hellminer.exe Removal Guide

Removing Hellminer malware requires anti-malware software scanning. Such threats typically duplicate itselves to numerous folders across the system, with each acting as a backup. GridinSoft Anti-Malware is what would remove the malicious miner and all its copies in the matter of minutes.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Miner malware activity always correlates with cryptocurrency prices. At the moment, they are on the rise, meaning that more and more frauds will opt for this malware. The typical ways of spreading for malicious miners is malvertising, particularly ones in search engines. Avoiding it requires user attention: they typically mimic legitimate sites that spread freeware, but always have a different, mangled URL.

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

Trojan Wacatac Detection

Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml detection is one of the numerous detection names that Microsoft assigns to minor malware families. A lot of similar-yet-different malicious software received this name because of the use of the same code solutions and similar functionality. Microsoft’s name often becomes a common noun for all similar malware.

When it comes to functionality, Wacatac is mostly spyware or stealer malware. Some of the sub-specimens may be distinctive for using Discord, Telegram, or Mastodon as data exfiltration channels. To have a more clear understanding of what the malware under the Wacatac name looks like, let’s analyze a sample of malware detected as Wacatac.

Trojan:Script/Wacatac.B!ml

For the analysis of a real-world Wacatac trojan example, I’ve opted for a Trap Stealer. Microsoft detects it as Trojan:Script/Wacatac.B!ml (see more info on VirusTotal). The Python-based malware sample is pretty unique – it is an open-source stealer with the source code listed on GitHub. Its builder features extensive functionality, particularly offers to create a disguise out of the box. But let’s have a more precise look.

On the GitHub repository that contains the source code of the malware, its devs show most of the functionality. It corresponds to the abilities of a classic stealer: malware gathers info from WhatsApp, steals cookies, and contents of the clipboard and AutoFill, scrapes passwords, and can capture screenshots. On top of that, Trap Stealers boast of the ability to mischief the host system.

Detection Evasion Methods

I’d pay additional attention to how this malware disguises itself. As I said, the builder offers not only to specify a Discord webhook as a relay server, but also to establish a “shell” that will make the user launch the malware deliberately. Currently, there are two options for this shell – a fake Discord webhook creation tool and a pseudo-Discord Nitro generator. Malware masters may choose one during the building, or choose none at all.

Though, these methods are called to evade user suspicion. Against anti-malware software, especially malware analysis environments, malware has several dedicated tricks up its sleeve.

Upon execution, this malware performs a row of checks that ensure that the system is not running a debug environment, resides away from the banned countries, and is not a virtual machine. If one of the checks returns an unacceptable result, any further execution will be terminated.

Establishing Persistence

Once all the aforementioned checks are done, Wacatac makes itself persistent to the attacked environment. It creates its randomly-named copy in a random directory in the AppData or LocalAppData folder of a user directory. Then, the malware adds a corresponding value to the Run entry of the system registry. This ensures the malware startup with the system.

Code responsible for registry entry creation

These steps may be accompanied by more, if additional actions were specified in the process of sample building. For instance, malware can hook up to the Discord startup, or establish persistence using the user startup folder instead of the registry key.

Data Gathering

The malware proceeds to its normal activity after establishing persistence. The first thing to do is to collect all the data about the system – it gathers quite a big list of it. Interestingly enough, the malware sends the log with this info to the command server almost instantly. This contrasts with the typical fashion of doing things, when the stealer will get everything it can reach and only then send it to the C2.

This extensive list of system data is then accompanied by collected passwords and cookies. For stealing passwords, Wacatac particularly aims at web browser files. There, it seeks specific files that programs use to keep the info. Aside from files that can contain credentials, Wacatac also collects all the cookies it can find. All the stuff is then kept in the specific files in the AppData\Local\Temp directory, under specific names that start with the “wp” particle.

This Wacatac instance particularly goes for browsing history. Since the way it is handled is more or less unified for most of the browsers, malware targets quite a few of them. Here is the list:

• Safari
• Firefox
• Chrome
• Opera
• Edge
• Opera GX
• Internet Explorer

Stealing Discord Tokens

The Trojan:Script/Wacatac.B!ml sample we are reviewing pays significant attention to Discord, though it is not unique for stealers. Moreover, the method it uses to extract the session tokens is more or less the same for all malware samples. Let’s dive into it.

To get Discord tokens from web browsers, Wacatac seeks for leveldb files (.ldb). It is a database file specific to Chromium-based browsers, that stores auth tokens, keys, and things the like. As there are quite a few popular browsers that derive from Chromium core, malware tries to target them all.

For the sake of clarity, it is worth noting that non-Chromium browsers are not invulnerable to such manipulations. By using database calls, malware can easily extract the info it needs, or even everything all at once. The fact that a browser keeps the data differently means just the need for a couple more lines in malware code.

Aside from crawling through the browser files, the malware also tries to grab the same Discord session tokens from the app’s directory. As there are a few different clients out there, the malware tries targeting them all by scanning for corresponding folders in the AppData\Roaming directory.

Stealing Data of Crypto Wallets & Gaming Apps

Another typical edge of interest for Trojan:Script/Wacatac.B!ml is crypto wallets as extensions, desktop apps, and gaming applications. It particularly aims for Metamask, Atomic, Exodus, and NationsGlory crypto wallets. However, stealing other wallets is just a question of a proper configuration, so they may appear in the future. All the collected data is compressed into a .zip folder and sent to the C2.

For gaming apps, malware particularly aims at Steam and Riot Client. Malware seeks for their folders in AppData\Local and then creates a zipped copy of their directories.

Exfiltration and C&C Connections

Once Trojan:Script/Wacatac.B!ml finishes the extraction, it will keep idling, waiting for new data to steal. Upon every startup, it will go through all the scans I’ve mentioned above, trying to find new stuff to steal. However, a malware master can order it to self-destruct when it finishes the data collection, or even enforce the system crash at this moment. This all is needed to hide the traces of malware activity.

Protecting Against Trojan:Script/Wacatac.B!ml

Stealer malware, such as Trojan:Script/Wacatac.B!ml, is often easily detectable by well-designed antivirus programs. An antivirus program equipped with heuristic detection systems and AI assistance can readily identify and remove this threat. GridinSoft Anti-Malware, in particular, is a reliable choice for this task. It can remove the malware and ensure your PC remains safeguarded for an extended period.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post How to remove Trojan:Script/Wacatac.B!ml appeared first on Gridinsoft Blog.

What is WogRAT (WingsOfGod.dll)?

WogRAT is a classic example of a remote access trojan, a backdoor-like malicious program that focuses on providing remote access to the infected system. ASEC researchers were first to detect and track the malware campaign. They additionally emphasize that this malicious program primarily targets Asian countries – China, Japan, Singapore and Hong Kong in the first place.

The strange thing about WogRAT is that its spreading campaigns were not detected, even though some of the methods were explained in the original research. Malware (more specifically – its loader) is disguised as a file posted on an online notepad service. Its naming supposes that frauds offer WogRAT as a system/program tweaking utility of some sort. This, in turn, supposes that initial spreading of the malware happens in “closed” places, like chats in messengers or the like.

Names for malware loader files that are available from aNotepad:

BrowserFixup.exe, ChromeFixup.exe, WindowsApp.exe, WindowsTool.exe, HttpDownload.exe, ToolKit.exe, flashsetup_LL3gjJ7.exe

WogRAT Malware Technical Analysis

As I said, the original downloading from the aNotepad site gets only the malware loader in the encoded form. Upon execution, it compiles itself on the run and requests the actual payload from a different page hosted on the same site. Depending on the attack, the source for the second-stage payload may differ.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 /OUT:C:\Users\\AppData\Local\Temp\RESF175.tmp c:\Users\\AppData\Local\Temp\2jahfobn\CSC51D40ACB8B5440B2A46FD286719924C.TMP – the command used by the loader to compile itself

The downloaded file is a similar .NET assembly, encoded with Base64 and present as a text string on the source website. Loader decrypts the payload and loads it into the memory using process hollowing technique.

C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 2068

Upon startup, WogRAT collects basic system information by checking different registry keys and executing commands. In particular, it gathers info about network connections, system version, username and some of the info regarding system policies. Malware stacks this data with the info of its own process and sends it to the command server in the HTTP POST request. After that, malware switches to idle, waiting for the commands.

act=on&bid=4844-1708721090438&name=System1\User1

WogRAT has a rather interesting set of commands and properties that it is expecting to receive. The simplified formula consists of 3 elements, and looks like this:

The resulting command is like the following:

task_id=upldr&task_type=3&task_data=C:\\Windows\System32\drivers\etc\hosts

This malware supports 5 different types of operations: running specific files, downloading or uploading the files, altering the idle time, and terminating the execution. Not a huge list at the first glance, but in combination with different task types this gives a full-fledged backdoor functionality.

How to remove WogRAT?

WogRAT is not the stealthiest malware out there; it is in fact more reliant on the tricky spreading method and double-staged loader. Still, the amount of hooks it creates in the system makes it particularly hard to remove manually. For that reason, I recommend using GridinSoft Anti-Malware: a full scan with that program will be enough to repel the RAT and all of its parts across the system.

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

What is PUABundler:Win32/PiriformBundler?

PiriformBundler is a detection name for unwanted software developed by Piriform. Microsoft assigns such names to denote a group of malware or unwanted software with common traits. Other malware Wacatac with similar naming conventions may share functionality or code solutions, while those labeled PiriformBundler share the same developer.

But why are they unwanted? Major cybersecurity vendors, along with Microsoft, classify software bundles as unwanted. Piriform used to monetize their free versions by adding other software to installations, meeting the criteria of bundled software.

Aside from that, Piriform software is not particularly effective. While it performs positive actions in the system, its overall effectiveness often falls short, bordering on a placebo effect.

Threat Summary

To have a more clear understanding of what the PUA:Win32/PiriformBundler is, let’s analyze one of the apps detected as PiriformBundler and see what exactly makes it so unpleasant.

PUABundler:Win32/PiriformBundler Analysis

Finding a sample for this analysis is straightforward – any program from the Piriform website will suffice. I chose Defraggler for this analysis, a disk defragmentation utility available in both free and paid versions.

Despite its appearance as a defragmentation tool, the program’s effectiveness is questionable. After two consecutive defrags, it reported about 9% defragmentation, revealing an objective lack of effectiveness.

Subsequent analysis demonstrates that the program while identifying fragmented files, takes no action to address them. This lack of effectiveness raises concerns about its overall utility.

Is PiriformBundler Dangerous?

As indicated by the analysis, it is not as dangerous as malware. While not inherently harmful, Piriform software’s lack of effectiveness makes it less desirable. If you encounter it without consent, running a scan with GridinSoft Anti-Malware is recommended.

It is most likely safe to have such programs on your PC. But if you never installed them, or suspect that it appeared without your consent, then run a scan with GridinSoft Anti-Malware. This program will uncover malicious programs that may potentially be present in the system.

How to protect against PiriformBundler and unwanted programs?

It is not that easy to understand whether the program is legitimate or not. The notification from Microsoft Defender is mostly informational – as you can see, even being marked as PUA does not mean the program is dangerous to use. Though, some of such apps may be rather dangerous to run, due to their malignant nature or just poor design.

By using only reliable and well-reviewed sources, you can weed out the majority of unwanted programs. Forum advice, advertisement on a shady website – such places are not ideal for finding benign and effective software. When you expect it to solve your problems – well, take your time and see user testimonials. The Internet remembers everything, so it will not be possible to hide the truth if you’re persistent enough.

Have reliable anti-malware software running in the system. This will not only protect your system from malware intrusion but also help you understand whether the detected unwanted program is dangerous or not. Using GridinSoft Anti-Malware, you will also be protected from the newest threats and online fraud, thanks to its advanced scanning capabilities.

The post PUABundler:Win32/PiriformBundler appeared first on Gridinsoft Blog.