Viruses

BrasDex is categorized as a banking virus that infects Android (and Windows) devices to access bank accounts and steal money from victims. This specific banker has been observed targeting victims in the Brazilian region - recently via a fake banking app named "Brazilian Banco Santander". Previously, it used to infiltrate devices by disguising itself as essential Android settings applications. BrasDex abuses Accessibility Services to record the information entered into banking applications. However, instead of showing overlaid (fake) screens to bait users into entering their log-in credentials, it instead keyloggers them inside targetted banking applications themselves. Unlike other banking malware, BrasDex also employs an ATS (Automated Transfer System) mechanism, which allows cybercriminals to perform fraudulent transactions in an automated way - therefore automating malicious business and increasing illegal profits. In addition, it is also known that BrasDex exploits a popular Pix fast payment system that was developed by the Central Bank of Brazil. This makes its easier for cybercriminals since all they require is the victim's identifier (which can be an email, CPF, phone number, or random ID). Please note that the Pxi system is not vulnerable - threat actors simply use this system to speed up the process of fraudulent transfers. A lot more technical information about BrasDex can be discovered in this report made by ThreatFabric. BrasDex is a dangerous virus that can cause unpleasant financial losses and privacy issues - thus, make sure to read our guide below and delete this devastating malware from your device. Once done, it is also important to change your log-in credentials.

GodFather is the name of a banking trojan that targets Android devices. Developers behind this malware seek to exfiltrate account credentials and use them for accessing 400+ online banking pages and crypto exchanges across 16 countries worldwide. The GodFather trojan functions by creating overlaid log-in screens and displaying them over legitimate apps or web pages. This way, it tricks users into entering their login data on fake screens, which allows threat actors to access finance-related accounts and abuse them for financial fraud. Before GodFather becomes capable of performing such malicious action, it needs users to allow certain permissions (access to SMS texts and notifications, screen recording, contacts, making calls, recording to external storage, and reading the device status) in the Accessibility Service window. The trojan does it by imitating the legitimate "Google Protect" tool, therefore making the process look ordinary and less likely to trigger suspicion from users. After the permissions are granted, the trojan gets complete liberty to run its malicious actions. GodFather also abuses the granted access to complicate manual removal, steal two-factor authentication codes, process different commands, and hijack data from PIN and password fields. If you want to learn more about the technical specs of GodFather banking trojan, you can check out this page. In summary, GodFather is a highly-devastating infection that can lead to significant financial losses, which is why it must be removed completely and without traces from your device. Use our guide below to do it.

Lucknite (ETH) or LuckniteRansom is a ransomware virus that was recently inspected by malware researchers. The purpose of this malware type is to encrypt potentially important data and hold it hostage until victims pay money for ransom. During encryption, this ransomware also assigns the .lucknite extension to each targeted file. For instance, originally named 1.pdf will change to 1.pdf.lucknite and lose its shortcut icon after encryption. After this, cybercriminals feature decryption instructions in the README.txt note. Sometimes the content of the ransom may vary slightly depending on which ransomware version affected the system.

OBZ is a ransomware-type virus that encrypts access to data and blackmails victims into paying money for decryption. At the time of encryption, the virus alters targeted files with the .OBZ extension. For instance, a file originally named 1.pdf will turn into 1.pdf.OBZ or 1.pdf.obz depending on which ransomware version penetrated the system. In addition, victims also reported seeing a malicious process named Traffic Light in Windows Task Manager. Once the encryption process gets to a close, OBZ Ransomware creates a text document (ReadMe.txt) that features decryption instructions. It is worth noting that the content of this ransom note is identical to other previously discovered U2K and MME ransomware, which may indicate that OBZ was developed by the same group of developers.

CryWiper is a devastating virus that damages the configuration of data to make it inaccessible and then demands money from victims for fake decryption. CryWiper developers disguise their software as ransomware that encrypts data, however, it is in fact a data wiper that simply corrupts the files. While running "encryption", the virus deletes all shadow copies from the root drive and appends the new .CRY extension to highlight the files. For instance, a file originally named 1.pdf will turn into 1.pdf.CRY and become permanently damaged. After this, CryWiper creates a file called README.txt with misleading decryption instructions. It is known that CryWiper avoids damaging .exe, .dll, .lnk, .msi, and .sys files and others stored in Boot, System, and Windows directories. In addition, this virus has also been observed getting distributed via the browserupdate.exe malicious file, programmed in C++ language, and targetting organizations that are localized in Russia.

Beijing is a ransomware-classified infection that encrypts access to data and demands that victims pay money for its decryption. This file encryptor is also likely released by the same cybercriminals who previously developed another ransomware named LeakTheMall. During encryption, victims will see their files change visually - it is the new .beijing that will be eventually added to them. For instance, an originally named 1.pdf will change to 1.pdf.beijing and become no longer accessible. After this, the virus creates text instructions in !RECOVER.txt explaining what should be done to recover the data.

SearchBlox (200,000+ downloads) is a rogue browser extension designed to hack Roblox accounts. This extension is ostensibly developed to help Roblox players fast search for various servers and allegedly play with famous YouTubers. In fact, quite recently it was discovered that SearchBlox has a malicious JavaScript, which allows developers to access Roblox accounts, automatically trade limited items (de facto steal them) via Rolimon's platform, and steal Robux (in-game currency) as well. SearchBlox is similar to another malicious extension called RoSearcher, which was popular around 3 months ago and was being used for stealing Roblox accounts as well. And despite both of them are no longer available for installation from Chrome Web Store, they managed to score a number of downloads and still continue affecting numerous players who do not know about their malicious abilities. Thus, if the SearchBlox (or other) extension happens to be installed in your browser, we strongly advise you to delete it immediately. Use our step-by-step guide to do so below. After this, it is also worth changing your login credentials (password) for your Roblox account to avoid further or not-yet-happened abuse.

Trigona is the name of a ransomware virus that encrypts data of corporate users (e.g., companies) and demands money for file decryption. During encryption, it appends the new ._locked extension (for instance, 1.pdf._locked) and creates a file named how_to_decrypt.hta after successful completion. This file contains instructions with steps on what victims should do to decrypt their data. It is said all critical information, such as documents, databases, local backups, and so forth has been encrypted and leaked. Cybercriminals also mention that file decryption is impossible without their direct involvement. Also, it is mentioned that data of those who refuse to collaborate with cybercriminals will be sold to figures potentially interested in its abuse. To prevent all of this, threat actors guide victims to open a decryption page via the TOR Browser and contact the ransomware developers.