Viruses

GoldPickaxe Trojan is a sophisticated malware targeting both Android and iOS devices. It was discovered by Group-IB and is attributed to a Chinese threat group known as 'GoldFactory.' This malware is part of a suite that includes other strains like 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' The primary purpose of GoldPickaxe is to steal personal information, with a particular focus on biometric data, specifically facial recognition data. Once installed, the Trojan operates semi-autonomously, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device. The Android version of the Trojan performs more malicious activities than the iOS version due to Apple's higher security restrictions. On Android, GoldPickaxe can access SMS, navigate the filesystem, perform clicks on the screen, upload photos, download and install additional packages, and serve fake notifications. If you suspect your Android or iOS device has been infected with GoldPickaxe or similar malware, it is recommended to run an antivirus scan and consider uninstalling suspicious apps. For more thorough removal, resetting the device to factory settings may be necessary, but this should be done with caution to avoid loss of personal data.

Dalle Ransomware is a high-risk infection that is part of the Djvu ransomware family. It was first discovered by malware researcher Michael Gillespie. The primary function of Dalle is to infiltrate computers stealthily and encrypt most stored files, rendering them unusable. During the encryption process, Dalle appends the .dalle extension to the filenames. The exact encryption algorithm used by Dalle is unconfirmed, but it is known that each victim receives a unique decryption key stored on a remote server controlled by the ransomware developers. Dalle creates a ransom note named _readme.txt and places a copy in every folder containing encrypted files. The note informs victims that their files are encrypted and demands a ransom payment to decrypt them. The initial ransom amount is $980, with a 50% discount offered if contact is made within 72 hours, reducing the cost to $490. The main purpose of the article is informational, aiming to educate readers about the Dalle Ransomware, its infection methods, the encryption it uses, the ransom note it creates, and the possibilities for decryption, including the use of tools like the Emsisoft STOP Djvu decryptor.

Proxy Virus, also known as a MITM (Man-In-The-Middle) Proxy Virus, is a type of malware that primarily targets Mac computers. It operates by hijacking the browser settings, redirecting users to malicious websites, and potentially stealing sensitive information. This malware often masquerades as legitimate software, tricking users into downloading and installing it. Once installed, it can modify network settings to redirect internet traffic through a malicious proxy server, allowing cybercriminals to intercept, monitor, or manipulate the user's online activities. Once a Mac is infected with a Proxy Virus, the system and its user face several significant impacts. The malware's presence can lead to privacy concerns as it has the capability to track and monitor internet browsing activity, potentially resulting in privacy breaches. Users may also experience an influx of adware and pop-ups, which not only are intrusive but can also redirect them to dubious websites, further compromising their online safety. The performance of the infected Mac can degrade, with noticeable slowdowns in both the system and internet speeds, diminishing the overall user experience. Moreover, by rerouting internet traffic through a malicious proxy, the virus exposes the system to additional security risks, increasing the likelihood of further infections and encounters with harmful online content. These impacts collectively compromise the security, privacy, and functionality of the infected Mac, underscoring the importance of preventive measures and timely removal of the virus.

Pegasus is a highly sophisticated form of spyware developed by the Israeli cyber-arms firm NSO Group. It is capable of infecting iOS and Android devices to monitor and extract a wealth of private data. Pegasus can read text messages, track calls, collect passwords, track the device location, and gather information from apps including WhatsApp, Facebook, Skype, and more. It can also remotely activate the device's camera and microphone to surveil the surroundings. Detecting Pegasus spyware on a device is challenging due to its stealthy nature. However, the Mobile Verification Toolkit (MVT) developed by Amnesty International can be used by technologists and investigators to inspect mobile phones for signs of infection. This tool requires technical expertise and is not intended for the average user.

Grandoreiro Trojan is a sophisticated banking malware that has been actively targeting users primarily in Latin America and, more recently, in Europe. Originating from Brazil, this malware has evolved over the years, showcasing the adaptability and persistence of cybercriminals in exploiting financial systems globally. It is a banking Trojan written in Delphi, first observed in 2016. It operates under a Malware-as-a-Service (MaaS) business model, allowing it to be distributed and used by various cybercriminal groups. This malware is known for its capabilities to steal banking information, perform fraudulent transactions, and execute a range of malicious activities on infected computers. To remove Grandoreiro from an infected system, a comprehensive approach involving the uninstallation of malicious programs, resetting browsers to default settings, and using specialized malware removal tools like Malwarebytes and Spyhuner is recommended. Preventive measures include maintaining cybersecurity awareness, avoiding clicking on suspicious links or downloading attachments from unknown emails, and keeping security software up to date.

BackMyData Ransomware is a malicious software variant belonging to the Phobos family, identified for its capability to encrypt files on infected computers, thereby rendering them inaccessible to users. It targets a wide range of file types, encrypting them and appending the .backmydata extension along with the victim's ID and an email address ([backmydata@skiff.com]) to the filenames. This renaming makes the files easily identifiable but inaccessible without decryption. The specific encryption algorithm used by BackMyData is not explicitly mentioned, but like other ransomware variants in the Phobos family, it likely employs strong encryption methods that make unauthorized decryption challenging without the necessary decryption keys. BackMyData generates two ransom notes named info.hta and info.txt, which are placed on the victim's desktop. These notes contain messages from the attackers, instructing victims on how to contact them via email (backmydata@skiff.com) and demanding a ransom payment in exchange for decryption keys. The notes also threaten to sell stolen data if the ransom is not paid, emphasizing the urgency and seriousness of the situation.

Lkhy Ransomware is a variant of the notorious STOP/DJVU ransomware family that encrypts files on infected computers, appending the .lkhy extension to the filenames. It uses the Salsa20 encryption algorithm to lock files, making them inaccessible to users. Once the encryption process is complete, LKHY drops a ransom note named _readme.txt, demanding payment in Bitcoin to allegedly send a decryption key. LKHY ransomware targets specific file types, such as documents, images, videos, and databases, using a symmetric AES algorithm. It generates a unique encryption key for each file and deletes the original files, leaving only the encrypted versions. The ransom note demands payment ranging from $499 to $999 in Bitcoin, with a 50% discount if the victim contacts the attackers within 72 hours. The ransom note is typically found in every folder containing encrypted files.

PUA:Win32/Presenoker is a detection name used by Microsoft Defender Antivirus and other security tools to identify Potentially Unwanted Applications (PUAs). These applications often appear legitimate and useful but may operate in ways that are undesirable or harmful to the user. They can include adware, browser hijackers, and other software with unclear objectives. Manual removal involves navigating to specific directories on your computer and deleting the files associated with Presenoker. This can be done by accessing the File Explorer and removing the contents of the DetectionHistory folder and CacheManager folder within the Windows Defender directory. Since Presenoker often changes browser settings, resetting the browser to its default settings can help remove the unwanted changes. This can be done through the browser's settings menu. Running a full system scan with reputable antivirus software like Malwarebytes, Spyhunter, Norton can help detect and remove Presenoker and other related malware. These tools can automatically identify and quarantine malicious programs.