Skip to main content

All Latest MALWARE VIRUS !!!


Related image

AdvisorsBot – AdvisorsBot is a sophisticated downloader first spotted in the wild in May 2018. Once AdvisorsBot has been downloaded and executed, the malware uses HTTPS to communicate with the C&C server. AdvisorsBot has significant anti-analysis features including using “junk code” to slow down reverse engineering and Windows API function hashing to make it harder to identify the malware’s functionality


AgentTesla – AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim’s keyboard input, system clipboard, and can record screenshots and exfiltrate credentials belonging to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT with customers paying between $15-$69 for user licenses.

AmmyyRat – FlawedAmmyy is a remote access Trojan (RAT) that has been developed from the leaked source code of the remote administration software called Ammyy Admin. FlawedAmmyy has been used in both highly targeted email attacks as well as massive spam campaigns and implements common backdoor features, allowing the attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService and much more.

AndroidBauts – AndroidBauts is an adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices. 

Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since its initial detection, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications on the Google Store

Asacub – Asacub Mobile Banker was first introduced in 2015 as a spyware. Nowadays Asacub functions as a banker aiming at the victim’s bank account information, and also capable of siphoned incoming SMS messages, browser history, and contacts, as well as execute commands, intercept messages, turn off the phone or its screen. Asacub spread via phishing SMS containing a link which leads to downloading the APK file of the Trojan to the infected device.

AuthedMine – AuthedMine is a version of the infamous JavaScript miner Coinhive. Similarly to Coinhive, AuthedMine is a web-based cryptominer used to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. However, unlike CoinHive, AuthedMine is designed to require the website user’s explicit consent before running the mining script. 

AZORult – AZORult is a Trojan that gathers and exfiltrates data from the infected system. Once the malware is installed on a system (typically delivered by an exploit kit such as RIG), it can send saved passwords, local files, crypto-wallets, and computer profile information to a remote C&C server. The Gazorp builder, available on the Dark Web, allows anyone to host an AZORult C&C server with moderately low effort. 

Bancos – Bancos steals financial information, using keylogging to record the victim’s credentials as they are entered on a targeted bank webpage. Bancos can also supplement or replace a legitimate bank login page with a fake webpage.

Coinhive – Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JS uses great computational resources of the end users machines to mine coins, thus impacting its performance.

CryptoLoot – A JavaScript Cryptominer, designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JS uses great computational resources of the end users machines to mine coins, thus impacting its performance. It is a competitor of Coinhive

DanaBot – DanaBot is a Trickler that targets the Windows platform. The malware sends out information to its control server, downloads and decrypts files to execute on the infected computer. It is reported the downloaded module can download other malicious files on the system. Moreover, the malware creates a shortcut in the user’s startup folder to achieve persistence on the infected system.

DarkGate – DarkGate is a multifunction malware active since December 2017 combining ransomware, credential stealing, RAT and cryptomining abilities. Targeting mostly windows OS, DarkGate employs a variety of evasion techniques.

Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks.

Dridex – Dridex is a Trojan that targets the Windows platform. This malware is reportedly downloaded by an attachment found in spam emails. This malware identifies itself with a remote server by sending out information about the infected system. Furthermore, it can download and execute arbitrary modules received from the remote server.

Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was once employed as a banking Trojan, and recently was used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can also be spread through phishing spam emails containing malicious attachments or links.

Gandcrab – GandCrab is a RaaS malware (Ransomwareas-a-Service). First discovered in January 2018, it operated an “affiliates” program, with those joining paying 30%-40% of the ransom revenue to GandCrab and in return getting a full-featured web panel and technical support. Estimates are that it affected over 1.5 million Windows users before retiring and halting its activities in mid-2019. Decryption tools exist for all GandCrab versions

Guerilla – Guerrilla is an Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.

Gustuff – Gustuff is an Android banking Trojan introduced in 2019, and capable of targeting customers of over 100 leading international banks, users of cryptocurrency services, and popular ecommerce websites and marketplaces. In addition, Gustuff can also phish credentials for various other Android payment and messaging apps, such as PayPal, Western Union, eBay, Walmart, Skype and others. Gustuff employs various evasion techniques including using the Android Accessibility Service mechanism to bypass security measures used by banks to protect against older generations of mobile Trojans

Hawkeye – Hawkeye is an info stealer malware, designed primarily to steal users’ credentials from infected Windows platforms and deliver them to a C&C server. In past years, Hawkeye has gained the ability to take screenshots, spread via USB and more in addition to its original functions of email and web browser password stealing and keylogging. Hawkeye is often sold as a MaaS (Malware-as-a-Service).

Hiddad – Android malware that repackages legitimate apps, and then releases them to a third-party store. Its main function is displaying ads. However, it is also able to gain access to key security details built into the OS

HiddenMiner – A strain of Android cryptominer that was spotted in April 2018. The HiddenMiner is delivered through a fake Google Play update app, exhausting the devices’ resources in mining Monero.

IcedID– IcedID is a banking Trojan which first emerged in September 2017, and usually uses other well-known banking Trojans to empower its spread potential, including Emotet, Ursnif and TrickBot. IcedID steals user financial data via both redirection attacks (installs local proxy to redirect users to fake-clone sites) and web injection attacks (injects browser process to present fake content overlaid on top of the original page).

JSEcoin – Web-based cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JavaScript uses great computational resources of the end users’ machines to mine coins, thus impacting the performance of the system.

Lezok – Lezok is an Android Trojan capable of downloading additional malware to victim’s computer without user’s consent, as well as generating pop-up advertisements when the user is surfing the Internet.

LockerGoga – LockerGoga ransomware was first seen in the wild towards the end of January 2018, while targeting heavy industry companies. It appears that the threat actors behind the attack invest time and efforts in choosing the victims and are working to launch the attack in perfect timing and against critical assets. The attack usually involves encryption of Active Directory server and endpoints, in order to leave no alternative other than paying the ransom. Using a combination of AES-256 and RSA makes the encryption very solid. However, a poor code design makes the encryption process very slow

LokiBot – LokiBot is an info stealer with versions for both Windows and Android OS. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, allowing for a range of variants to appear. It was first identified in February 2016. Since late 2017 some Android versions of LokiBot include ransomware functionality in addition to their infostealing capabilities.

Lotoor – Lotoor is a hack tool that exploits vulnerabilities on Android operating systems in order to gain root privileges on compromised mobile devices.

MageCart – MageCart is a type of attack in which malicious JavaScript code is injected into e-commerce websites and third-party suppliers of such systems in order to steal payment details.

Mirai – Mirai is a famous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distributed Denial of Service (DDoS). Mirai botnet first surfaced on September 2016 and quickly made headlines due to some large-scale attacks. Among them were a massive DDoS attack used to knock the entire country of Liberia offline, and a DDoS attack against the Internet infrastructure firm Dyn, which provides a significant portion of the United States internet’s backbone.

Necurs – Necurs is a one of the largest spam botnets currently active in the wild, and it is estimated that in 2016 it consisted of some 6 million bots. The botnet is used to distribute many malware variants, mostly banking Trojans and ransomware.

Panda – Panda is a Zeus variant that was first observed in the wild at the beginning of 2016, and is distributed via Exploit Kits. Since its initial appearance, Panda has targeted financial services in Europe and North America. Before the Olympic Games of 2016, it also ran a special campaign against Brazilian banks.

 Piom – Piom is an Adware which monitors the user’s browsing behaviour and delivers unwanted 

Qbot – Qbot is a backdoor belonging to the Qakbot family. It is capable of dropping and downloading other malware. It also establishes a connection with a remote HTTP server without user consent and may steal important user information.

Ramnit – Ramnit is a banking Trojan which incorporates lateral movement capabilities. Ramnit steals web session information, giving worm operators the ability to steal account credentials for all services used by the victim, including bank accounts, corporate, and social networks accounts.

Retadup – Retadup is a Trojan that targets Windows platform. It is reported that this malware is used for targeted attacks and some variants of the malware comes with Keylogger, screen capture and password stealing capabilities. The malware is used to mine cryptocurrency on the infected system. It communicates with its remote control server and accept commands to execute on the infected system.

Ryuk – A ransomware used in targeted and well-planned attacks against several organizations worldwide. The ransomware’s technical capabilities are relatively low, and include a basic dropper and a straightforward encryption scheme. Nevertheless, the ransomware was able to cause severe damage to the attacked organizations, and led them to pay extremely high ransom payments of up to 320,000 USD in Bitcoin. Unlike common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. Its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers. The malware encrypts files stored on PCs, storage servers and data centers.

Satan – Satan is a Ransomware-as-a-Service (RaaS) which first emerged in January 2017. Its developers offer a user-friendly web portal with customization options, allowing anyone who buys it to create custom versions of Satan ransomware and distribute it to victims. New versions of Satan were observed using the EternalBlue exploit to spread across compromised environments, as well as performing lateral movement using other exploits.

Sodinokibi – Sodinokibi is a Ransomware-as-a-Service which operates an “affiliates” program which was first spotted in the wild in 2019. Sodinokibi encrypts data in the user’s directory and deletes shadow copy backups in order to make data recovery more difficult. Moreover, Sodinokibi affiliates use various tactics to spread it through spam and server exploits, as well as hacking into managed service providers (MSP) backends, and through malvertising campaigns redirected to the RIG exploit kit.

TheTruthSpy – An Android spyware that first emerged in May 2017. TheTruthSpy is capable of monitoring WhatsApp messages, Facebook chats, and internet browsing history.

Tinba – Tinba is a banking Trojan which targets mainly European banking customers and uses the BlackHole exploit kit. Tinba steals the victim’s credentials using web-injects, which are activated as the user tries to connect to their account.

Triada – Modular Backdoor for Android which grants super-user privileges to download a malware. Triada has also been seen spoofing URLs loaded in the browser.

TrickBot – TrickBot is a Dyre variant that emerged in October 2016. Since its first appearance, it has been targeting banks, mostly in Australia and the U.K., and lately it has also started appearing in India, Singapore and Malesia.

Ursnif – Ursnif is a Trojan that targets the Windows platform. It is usually spread through exploit kits – Angler and RIG, each at its time. It has the capability to steal information related to Verifone Point-of-Sale (POS) payment software. It contacts a remote server to upload collected information and receive instructions. Moreover, it downloads files on the infected system and executes them.

Virut – Virut is one of the major botnets and malware distributors in the Internet. It is used in DDoS attacks, spam distribution, data theft and fraud. The malware is spread through executables originating from infected devices such as USB sticks as well as compromised websites and attempts to infect any file accessed with the extensions .exe or .scr. Virut alters the local host files and opens a backdoor by joining an IRC channel controlled by a remote attacker.

WannaMine – WannaMine is a sophisticated Monero cryptomining worm that spreads by exploiting the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging Windows Management Instrumentation (WMI) permanent event subscriptions.

XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild on May 2017.

Zeus – Zeus is a widely distributed Windows Trojan which is mostly used to steal banking information. When a machine is compromised, the malware sends information such as the account credentials to the attackers using a chain of C&C servers.  

Comments

Popular posts from this blog

Applications and Threats Content Release Notes

  Threat Intelligence Report Top Attacks and Breaches The biochemical systems at an Oxford university research lab currently studying the Covid-19 pandemic has been  breached . Clinical research was not affected by the incident. Breached systems include machines used to prepare biochemical samples, and hackers are currently attempting to  sell  their access to those machines. Twitter has permanently  suspended  multiple accounts found to be part of four disinformation campaign networks, most likely operated by state-sponsored actors associated with Iran, Russia and Armenia. The Iranian infrastructure was previously used to disrupt the 2020 US presidential campaign discourse. Gmail accounts of global pro-Tibet organizations have been  targeted  by the Chinese APT TA413, an espionage group known for its operations against civil dissidents. The campaign leverages a customized malicious Mozilla Firefox browser extension to gain control over the victims’ Gmail accounts. Npower, a British ga

Cisco Releases Security Updates for Cisco ASA 5506-X, 5508-X, 5516-X and Firepower// Cisco Bug IDs: CSCvp36425

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly. The vulnerability is due to incomplete input validation of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) ingress packet header. An attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the attacker to cause the device to reload, which will result in a denial of service (DoS) condition. Note:  Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability. Cisco has rel

Site-to-site IPsec VPN with two FortiGates

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard's   Site to Site - FortiGate   template. In this example, one office will be referred to as HQ and the other will be referred to as Branch. 1. Configuring the HQ IPsec VPN On the HQ FortiGate, go to  VPN > IPsec Wizard . Select the  Site to Site  template, and select  FortiGate . In the  Authentication  step, set  IP Address  to the IP of the Branch FortiGate (in the example,  172.20.120.135 ). After you enter the gateway, an available interface will be assigned as the  Outgoing Interface . If you wish to use a different interface, select it from the drop-down menu. Set a secure  Pre-shared Key . In the  Policy & Routing  step, set the  Local Interface . The  Local Subnets  will be added automatically. Set  Remote