BugsFighter

Crackonosh is the name of a trojan stealthily distributed inside cracked software installers. Upon successful installation, its purpose is to inject the XMRIG miner and start mining Monero cryptocurrency for the threat actors. As of now, statistics show that this miner has helped cybercriminals mine the amount of Monero worth roughly two million dollars. A couple of words on how the trojan does its malicious job: After the installer of cracked software is launched, it places an installer and script onto the targeted system, which then changes the Windows Registry settings to turn off hibernation mode and activate Crackonosh in Safe Mode at the next system start-up. This way, the trojan deactivates Windows Update and Windows Defender and is even able to uninstall third-party antivirus programs (e.g., Avast, Bitdefender, Kaspersky, McAfee, and Norton) in order to reduce the chance of getting detected and blocked. To conceal its presence, it erases system log files, serviceinstaller.msi files, and maintenance.vbs files. As a result, some infected systems may display error messages indicating issues with the aforementioned files. In addition, Crackonosh may also halt Windows Update services and substitute the Windows Security icon with a fake green system tray icon. The main symptoms that should attract your attention and lead you to suspect something is wrong with your system are usually slower and laggy PC performance, increased CPU/GPU/RAM usage, overheating, unexpected crashes, and other related issues. Thus, if any of these symptoms are present, make sure to read our guide below and eliminate the potential crypto-mining trojan from your computer.

Users may receive fake e-mail letters asking to verify their MetaMask wallet as part of completing the KYC verification process. MetaMask is one of the most popular digital wallets allowing people to store and transfer crypto assets, such as Ethereum. Such messages sent under the MetaMask name belong to phishing e-mail spam campaigns, which are designed to trick users into exposing their wallet credentials. Specifically, cybercriminals urge users to click on attached buttons or links leading to a phishing website. This website, therefore, asks users to provide their secret wallet keyword phrase to ostensibly pass the aforementioned verification. Unfortunately, doing so will simply enable cybercriminals to hack the wallet and steal money from it. Note that e-mail scam messages tend to use various psychological tricks to destabilize users' thinking and force them to make rushed decisions - for instance, the fake MetaMask letter stated the account will be restricted unless users complete verification within the specified date. While some details and even the appearance of e-mail scam messages may be sent by various threat actors and therefore vary from user to user, their purpose often remains the same - to scam naive users or download malware into the system. Thus, it is important to beware of such messages and not trust what they say. Always double-check the claimed information on the official website of the service involved, even if the message seems totally legitimate. In addition, we encourage you to read our guide and learn about other dangers of e-mail spam messages and aversion techniques against them.

Hhoo has been classified as a ransomware-type virus, which encrypts personal data using cryptographic algorithms. Being yet another version of the Djvu/STOP family, Hhoo can target both individuals and organizations to demand high amounts of ransom. It appeared in the middle of February 2023 and hit thousands of users. Ransom is a so-called payment required by cybercriminals in exchange for the blocked data. Extortionists provide detailed information on that inside of a text note (_readme.txt) which is created after Hhoo ends up file encryption. The encryption process can be easily spotted by new extensions that are assigned to each of the files. This virus appends the .hhoo extension so that an encrypted piece ends up looking like this 1.pdf.hhoo.

Turaddoptle.com is one of many rogue websites that promote fake push-notifications. By displaying the message Click the "Allow" button to subscribe to the push notifications and continue watching, the suspicious page allures people into clicking on the "Allow" button. Although this button is claimed to be meant for confirming the above-mentioned, its actual purpose is to enable and deliver dubious pop-ups to users' desktops. Inexperienced users usually get caught off guard by that trick. Some might even ignore the appearance of unknown content and take it for granted. This might be a fatal mistake, since such ads promoted by Turaddoptle.com can lead to potentially dangerous websites. Also, if you see Turaddoptle.com each time at browser setup, more likely your browser is monitored by somebody else. Thus, your data and other information entered throughout the browsing sessions can be hijacked and sold to cybercriminals. This is why deleting Turaddoptle.com from your system is urgent. Our guide below will show how to do this in just a couple of steps.

CRYBrazil is a ransomware variant that was discovered by MalwareHunterTeam in 2018. This virus mainly targets Brazilian and Portuguese users in order to encrypt potentially important files and then demand a ransom for their decryption. While restricting access to files, the file-encryptor has been observed to assign .crybrazil or .hacked depending on what version penetrated the computer. Once the encryption is finished, CRYBrazil changes the desktop wallpapers to display decryption guidelines and also places the SUA_CHAVE.html file (which leads to a fake download page for Adobe Flash Player) in each folder containing encrypted data. This or other fake websites may therefore be used for distributing unwanted software or additional malware infections.

Hacktool:Win32/Keygen is a code-name referred to by anti-malware software when the usage/presence of license-cracking tools gets detected on the system. Such tools allow the fake generation of keys to activate licensed versions of software and therefore bypass paying for it. Although keygen tools are not intended to be harmful to users' safety initially, some threat actors may use them to deliver various malware alongside. While the detection and labeling of the cracking tool as "Hacktool:Win32/Keygen" by your antivirus does not always indicate your system is infected with actual malware, it still might be a good idea to perform a thorough scan of your system. Infections that can be distributed alongside key-generating tools are ransomware (software that encrypts data and demands money from victims), crypto-miners (software that stealthily mines cryptocurrency for cybercriminals), banking trojans, spyware, and other types of potentially devastating infiltrations. Having such malware installed on your system may lead to severe privacy problems, financial losses, downgraded PC performance, and other kinds of threats. Thus, if you recently used a license-cracking tool (Hacktool:Win32/Keygen) and suspect your system could be in danger, make sure to read our guide below and scan your system with effective anti-malware software to detect and eliminate possible threats.

Hhee Ransomware is a recent virus developed by the STOP/Djvu ransomware family. This group of developers has developed hundreds of ransomware infections designed to render personal data inaccessible and blackmail victims into paying the ransom. Hhee is not an exception as well. This is type of malware that encrypts the files on a victim's computer and demands a ransom payment in exchange for the decryption key to unlock them. It is also known as DJVU ransomware, as, first versions encrypted files with a .djvu extension. During encryption, it renames files with the .hhee so that a sample like 1.pdf will be changed to 1.pdf.hhee and reset its original icon. Immediately after this, the virus creates a text note called _readme.txt (example in the text box below), which contains file-decryption instructions. Currently, there are only few methods to decrypt data encrypted by Hhee Ransomware and chances are quite low. We provide all information in this tutorial.

Having files renamed with the .karen extension (like 1.pdf.karen) means your system is infected with Karen Ransomware. Ransomware is a malicious program usually designed to run encryption of data and demand money from victims for its decryption. After successfully restricting access to files, the virus drops the README.txt text note. However, unlike the majority of ransomware infections, Karen's text note is incomplete and does not contain any decryption-related information. The file-encryptor also opens a webpage with a field to enter UID (unique identifier), which is absent in the note as well. This means it would be impossible to contact the cybercriminals and pay the supposed ransom to return the data. The reason for that could be that cybercriminals released this ransomware as a premature version to test its functioning and effectiveness.