infection Archives

Tech Optimizer

November 8, 2024

New malware SteelFox targets Windows users through fake software activators

A new malware named "SteelFox" is targeting Windows users by using counterfeit software activators to infiltrate systems, leading to cryptocurrency mining and data theft. Since February 2023, it has spread rapidly, primarily through torrent sites and online forums, masquerading as legitimate software cracks for programs like AutoCAD and Foxit PDF Editor. Upon installation, it deploys a risky driver called WinRingO.sys, exploiting vulnerabilities CVE-2021-41285 and CVE-2020-14979, which allows attackers to gain full access to the infected computer. The malware uses XMRig for crypto mining, causing performance issues and increased utility bills, while also stealing sensitive data from over 13 web browsers. Countries with high infection rates include Mexico, Brazil, Russia, China, and India. Kaspersky has blocked over 11,000 attempted attacks, but the actual number of infections may be much higher. To protect against SteelFox, users are advised to download software only from verified sources, maintain updated antivirus software, avoid pirated software, and keep systems current with security patches.

Winsage

November 7, 2024

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

Hackers are targeting Windows users with the Winos4.0 framework, which is distributed through seemingly harmless game-related applications. This toolkit has capabilities similar to well-known post-exploitation frameworks like Sliver and Cobalt Strike. Initially, a threat actor named Void Arachne attracted victims with modified software like VPNs and Google Chrome for the Chinese market, but recent tactics involve using games and game-related files. The infection process begins when a legitimate installer is executed, downloading a DLL file from “ad59t82g[.]com.” This triggers a multi-step infection process involving the download of a DLL named you.dll, which fetches additional files and modifies the Windows Registry for persistence. The second phase involves injected shellcode that loads APIs and connects to a command-and-control (C2) server, while the third phase retrieves encoded data from the C2 server. The final stage includes loading a login module that performs various malicious actions, such as collecting system information, checking for anti-virus software, gathering data on cryptocurrency wallet extensions, maintaining a backdoor connection to the C2 server, and exfiltrating sensitive information through methods like taking screenshots and stealing documents. Winos4.0 can identify various security tools, including Kaspersky, Avast, and Malwarebytes, allowing it to adjust its behavior based on the environment. Fortinet describes Winos4.0 as a powerful tool for controlling compromised systems, with reports from Fortinet and Trend Micro providing indicators of compromise (IoCs) related to this threat.

Winsage

November 3, 2024

New ExplorerPatcher update fixes Win + X, Start menu crashes, and more on Windows 11

ExplorerPatcher has released an update, version 22621.4317.67.1, available on GitHub, addressing issues with the Win X menu and Start menu. Key updates include: - The Win+X shortcut is functional on builds 226xx.4317 and above. - Fixed resource loader issues when the boot drive is not C:. - Resolved crashes in the Start menu related to context menus with jump list entries on specific builds. - Improved handling of "Not responding" windows. - Taskbar items now have animated flashing. - The Narrator provides descriptions for the "Show desktop" button. - Added Portuguese (Brazil) translations. Users can download ExplorerPatcher from GitHub, but it may be flagged by Windows Defender and antivirus programs. Microsoft has taken measures against ExplorerPatcher by limiting its functionality in Windows 11 version 24H2 and labeling it as malware. To avoid false positives, users can add specific paths to the exclusion list in Windows Defender. A PowerShell script is provided to facilitate this process.

Winsage

November 3, 2024

When these 9 problems happen, I know it’s to reinstall Windows 11

Users of Windows 11 may experience performance issues that indicate a need for reinstallation. Key indicators include: 1. Significant performance drops due to accumulated applications, storage issues, or malware. 2. Frequent crashes and freezes that persist despite troubleshooting. 3. Regular system errors suggesting instability. 4. Corrupted system files identified by tools like System File Checker (SFC) or DISM. 5. New hardware installations that require a clean installation for optimal compatibility. 6. Startup issues that do not improve with disabling startup programs. 7. Malware infections that may necessitate a complete reinstallation. 8. System instability after major changes like new drivers or modifications. 9. Failed troubleshooting attempts that consume more time than productive use of the system. Reinstallation methods include: - Using Windows Update to reinstall while preserving files, settings, and applications. - Resetting the PC to keep files while removing apps and settings. - Removing everything for a clean installation, requiring restoration of files and reinstallation of applications. For severe issues, creating a bootable USB may be necessary.

Tech Optimizer

October 23, 2024

New Trojan.AutoIt.1443 Hits 28,000 Users via Game Cheats, Office Tool

Cybersecurity experts from Dr.Web have discovered a cyber attack involving Trojan.AutoIt.1443, targeting approximately 28,000 users primarily in Russia and neighboring countries. The malware disguises itself as legitimate applications and is spread through deceptive links on platforms like GitHub and YouTube, leading to password-protected downloads that evade antivirus detection. Key components of the malware include UnRar.exe and scripts named Iun.bat and Uun.bat, which facilitate its installation while erasing traces of activity. The malware scans for debugging tools, establishes network access via Ncat, and manipulates the system registry to maintain persistence. Its operations include cryptomining using SilentCryptoMiner and cryptostealing through a clipper tool that swaps cryptocurrency wallet addresses. The campaign has affected users drawn to pirated software, highlighting the risks of downloading from unverified sources.

Winsage

October 1, 2024

New Variant Of XWorm Delivered Via Windows Script File

XWorm is a sophisticated strain of malware known for its advanced obfuscation techniques and stealthy nature. A new variant, identified by researchers from NetSkope, is being delivered through Windows script files and has progressed to version 5.6 since its first identification in 2022. The malware initiates infection via a Windows Script File (WSF), which downloads an obfuscated PowerShell script from paste[.]ee, generating files such as “VsLabs.vbs,” “VsEnhance.bat,” and “VsLabsData.ps1” in the C:ProgramDataMusicVisuals directory. It creates a scheduled task named “MicroSoftVisualsUpdater” for persistence. XWorm employs evasive techniques like reflective code loading and process injection into legitimate processes. It communicates with its command and control (C2) server through TCP sockets, using AES-ECB encryption and a modified MD5 hash. Version 5.6 introduces features like the ability to remove plugins and a “Pong” command for response time reporting. The malware conducts extensive reconnaissance on infected systems, alerts attackers via Telegram, and can access sensitive information, establish remote access, and deploy additional malware. It modifies host files to redirect DNS requests and can launch Distributed Denial of Service (DDoS) attacks. XWorm captures screenshots, executes system commands, and downloads additional payloads while maintaining stealth through process monitoring. It utilizes a structured message format for communication with the C2 server, incorporating system information.

Winsage

September 30, 2024

This one security feature makes Windows 11 Pro worth every penny

Microsoft's Windows 11 Pro includes the Windows Sandbox feature, which provides a virtualized environment for users to explore the web and download applications without risking their primary system. The Sandbox is isolated, containing any potential malware, and can be easily disposed of with a click. To activate it, users must enable the feature in the Control Panel, which may require a system restart. When launched, it offers a fresh Windows desktop without personal customizations, allowing users to engage with untrusted sources safely. However, transferring files from the Sandbox to the main system can pose risks if those files contain malware. Closing the Sandbox erases all its contents. The inclusion of Windows Sandbox makes upgrading to Windows 11 Pro appealing for users seeking enhanced security.

Winsage

September 30, 2024

About KMSpico for Windows and Office

KMSpico is a tool for the automatic activation of Microsoft programs, including all versions of Office and Windows. It provides a universal activation solution, eliminating the need for unique activation keys. The software is lightweight, requiring only 2 MB of RAM, and features a user-friendly interface that does not require advanced technical skills for activation. The activation process involves downloading, installing, selecting the product, and restarting the computer to confirm successful activation. KMSpico can activate various Microsoft products, including: - Windows 11 - Windows 10 - Windows 8.1 - Windows 8 - Windows 7 - MS Office 2021 - MS Office 2019 - MS Office 2016 - MS Office 2013 - MS Office 2011 Potential issues during installation may arise from antivirus software mistakenly identifying KMSpico as a threat. To resolve these issues, users can temporarily disable their antivirus, add KMSpico to the exclusion list, activate the "Read-only" feature, and ensure that .NET Framework 4.0 or higher is installed. KMSpico was created by an individual known as Daz and does not have an official website. It is important to download KMSpico from reputable sources to minimize the risk of infection. Personal testing of KMSpico confirmed its functionality, with successful activation of both Windows and Microsoft Office without any issues. The software automatically updated the license during use, allowing for uninterrupted operation of Microsoft programs.

Winsage

September 27, 2024

Microsoft to launch delayed Recall feature following security controversy

Microsoft is set to launch its Recall feature for Windows 11, which captures screenshots of user actions for later retrieval. The feature had been delayed due to security concerns raised by researchers regarding potential vulnerabilities. Microsoft has since enhanced security measures, including making Recall an opt-in feature, implementing encryption for screenshots, and requiring authentication through Windows Hello. Recall will also integrate Microsoft’s Purview software to prevent the capture of sensitive information. Users can control what Recall captures, with options to exclude certain applications and disable the feature entirely. Microsoft conducted extensive security reviews to validate these measures, and Recall is a key feature of the Copilot+ PCs running the latest Windows 11 version.

AppWizard

September 26, 2024

Millions of Android users put on red alert and told to follow 3 critical rules

Android users are advised to be cautious when downloading applications due to the threat posed by a trojan called Necro, which has compromised millions of devices since its identification by Kaspersky in 2019. Necro can steal personal data and enroll users in costly subscriptions without consent. It primarily infiltrates devices through modified applications, or 'mods,' which are often downloaded from unofficial sources. Some legitimate apps on the Google Play Store, like Wuta Camera, have also been found to contain Necro. To protect against this threat, users should avoid unofficial sources, exercise caution with official apps, scrutinize app reviews, and refrain from downloading modified versions of apps.