Viruses

Trojan:Win32/Fauppod!ml is a machine learning-based detection name assigned by Microsoft Defender to a type of malware primarily identified by its behavior rather than traditional signature methods. This malware is designed to steal sensitive information, particularly targeting online banking credentials. It typically spreads through malicious email attachments or dubious downloads from untrustworthy sources. Once executed, the malware checks for other instances of itself and utilizes process hijacking techniques to evade detection. It disables system defenses by manipulating registry keys and injects itself into legitimate processes like svchost.exe and wmiadap.exe, making its activities difficult to trace. Communication with its command and control (C2) servers often involves both standard and non-standard ports, and it sometimes uses compromised websites to mask its network traffic. Although primarily a serious threat, heuristic detections like Fauppod!ml can occasionally result in false positives, making third-party anti-malware solutions valuable for confirmation and removal.

Trojan:Win32/Leonem is a sophisticated spyware variant that primarily targets sensitive login data on compromised systems. This malware is typically spread through malicious documents or disguised as legitimate software, making it a deceptive threat. Once installed, it can perform keylogging, collect browser passwords, cookies, and cache, and even seek out stored credentials in email clients. Leonem also attempts to disable security software, modify system settings, and ensure persistence by running at each system boot. Beyond its primary data-stealing function, it can also act as a malware dropper, often deploying ransomware or backdoors. The malware uses legitimate processes to detect sandbox environments and virtual machines, which helps it evade detection. Ultimately, Leonem exfiltrates collected data to its command server, often using Discord webhooks for this purpose.

Trojan:Win32/HeavensGate.RPY!MTB is a heuristic detection designed to generically identify a type of Trojan Horse malware. This malicious software can perform a variety of harmful activities once it infiltrates a system. Common behaviors include downloading and installing additional malware, recording keystrokes, and sending sensitive information such as usernames and browsing history to remote attackers. It may also grant unauthorized access to the infected PC, enabling hackers to control it remotely. Some variants inject advertising banners into web pages, engage in click fraud, or even use the system's resources to mine cryptocurrencies. Identifying and removing this Trojan is crucial as it poses significant risks to data security and system integrity. Users should regularly update their antivirus software and remain vigilant when downloading programs or clicking on suspicious links to mitigate such threats.

Discovered during an investigation of new submissions to VirusTotal, BlackZluk Ransomware is a potent ransomware variant that encrypts victims' files and demands a ransom for their decryption. The malware appends an additional extension, .blackZluk, to the filenames of the encrypted files, renaming files such as document.docx to document.docx.blackZluk. The ransomware employs sophisticated encryption algorithms, typically a mix of symmetric and asymmetric encryption to complicate the decryption process without the necessary decryption key. Once the files are encrypted, the ransomware generates a ransom note, titled #RECOVERY#.txt, usually placed in directories containing encrypted files and often displayed on the victim's desktop. This note informs victims of their predicament, detailing how their data has been encrypted and extorted for privacy or financial leverage.

ScRansom Ransomware, designed to encrypt files on its victim's systems, primarily targets small and medium-sized businesses. It operates using sophisticated algorithms to lock data, ultimately extorting victims for money in exchange for decryption keys. This malicious software appends the .Encrypted extension to the filenames of affected documents, pictures, and other essential files, making them inaccessible to their owners. During the encryption process, files like 1.jpg are renamed to 1.jpg.Encrypted, obfuscating the contents and causing significant operational disruption. In addition to encrypting files, ScRansom leaves a ransom note named HOW TO RECOVERY FILES.TXT in the infected directories.

Colony Ransomware is a type of malware designed to encrypt data on the victim's computer and demand a ransom for its decryption. It first surfaced on VirusTotal, where researchers discovered its modus operandi. Once infiltrated, the malware encrypts files and appends a unique file extension, such as including the attackers' email address and a variable string, most commonly seen as .colony96. For instance, a file initially named photo.jpg may be renamed to photo.jpg.[support2022@cock.li].colony96. These extensions can vary based on the specific variant of the ransomware. Upon completing the encryption process, Colony Ransomware creates and displays ransom notes through various visible means: a full-screen message preceding the user login screen, desktop wallpaper, and a text file labeled #Read-for-recovery.txt. These notes urge the victim to contact the attackers for decryption instructions, laying out specific communication steps to avoid their message getting lost.

Ior Ransomware is a malicious cryptovirus that belongs to the Dharma family, discovered during malware sample inspections on VirusTotal. It encrypts a victim's data, appending the victim's ID, a specific email address, and the .ior extension to filenames. Encrypted files are renamed systematically; for example, 1.jpg becomes 1.jpg.id-12345.[email].ior. The attack is identified through a pop-up window and a text file named manual.txt, informing the victim that their files have been locked and demanding ransom for decryption. The ransom note emphasizes the urgency, instructing victims to contact either jasalivan@420blaze.it or ja.salivan@keemail.me within 12 hours, and it promises free decryption of up to three small files to build trust.

XiN Ransomware is a type of malicious software designed to encrypt a victim's data and demand payment for the decryption key. Belonging to the Xorist ransomware family, this malware appends the .XiN extension to the filenames of the encrypted files, making them inaccessible without the decryption key. For example, if the original file was named document.txt, it would appear as document.txt.XiN after encryption. The ransomware uses a sophisticated encryption algorithm that is often very difficult to break without the specific keys that are generated during the encryption process. This cryptographic technique ensures that the victim is compelled to pay the ransom to regain access to their files. Once the files are encrypted, XiN Ransomware creates a ransom note to inform the victim of the situation. This note appears both as a pop-up window and as a text file named HOW TO DECRYPT FILES.txt.