Everything you need to know about VPNFilter Malware


VPNFilter Malware:

It has been just reported that a dangerous malware called VPNFilter is targeting increasing number of makes and models of devices, with its additional capabilities like secretly injecting malicious content over web traffic through an infected router. This capability, called SSLER lets VPNFilter stage a kind of man in the middle attack, with an aim to spy on victims to steal sensitive data. Using this capability, SSLer allows the actor in delivering exploits to endpoints.

It has been found out that this malware is continuously targeting more makes and models of devices. With its additional and increased capabilities, exploits can now be delivered to end points and reboots can be overridden.


VPN Filter is a sophisticated malware which uses known vulnerabilities to infect routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. Once installed, the malware uses a central infrastructure to install specialized plug-ins on the router. One plug-in allows hackers to listen to their victims’ Internet traffic to steal their Web identifiers; another one targets a protocol used in industrial control networks, such as in the power grid. A third plug-in allows attackers to paralyze any or all infected hardware. Together, all of the infected units in dozens of countries make up a 500,000-router strong botnet.

Read about infected devices & solutions for VPNFilter attack here.


Reference by

Beware! The TrickBot Trojan is back

TrickBot Trojan was first identified in mid-2016 and considered similar to the Dyreza banking Trojan. Initially, the payload (the component of a computer virus that executes a malicious activity) was spreading through a malvertising campaign using the Rig Exploit Kit. From our current findings, we have found that TrickBot has changed its propagation technique and is now spreading using the Necurs Botnet (a distributor of many pieces of malware including ransomware). 1) Earlier we had discovered a malspam (malware that is delivered via email messages) campaign that was delivering the TrickBot Trojan. It contained blank emails with no subject line. It had scan_RandomNo.doc as a file attachment [e.g. – SCAN_4744.doc , SCAN_1254.doc] Fig 1. A blank email with SCAN_4744.doc as an attachment. The doc file contains embedded macro and its functionality was similar to that of the Dridex family. 2) Presently, this malspam campaign is now using zip attachments having keywords such as invoice as shown below. Fig 2. Email containing a .zip attachment contains another .zip which has script file with an .wsf extension Fig 3 This .wsf file is executed using Windows ‘wscript.exe’and downloads extension-less encoded file in %temp% folder which is then decoded in the same location as same_file_name.exe. It then copies itself into the‘%appdata%\winapp’ folder. In addition to this, it downloads two additional components such as ‘client_id’ & ‘group_tag’. ‘client_id’ has information such as the name of the victim’s machine, OS version, etc. ‘group_tag’contain value such as ‘mac1’. This Trojan also inject DLLs into the installed browsers of the infected machine to steal information such as usernames, passwords, etc. In addition to this, we have also observed that a few .wsf files received during our analysis of this malspam campaign are spreading a new variant of JAFF ransomware. 3) On 14.06.17, we have observed another malspam campaign delivering TrickBot. Fig 4. Email containing zip as an attachment Fig 5 Emails delivered through this new malspam campaign contain having .docm file. .docm has embedded macro which when enabled downloads and installs components of the TrickBot Trojan on the infected machine. Quick Heal Detection 1. Quick Heal has detection for .doc, .wsf and the downloaded payload files. Fig 6 Fig 7 2. Quick Heal Behavioral-based detection successfully detects the malicious activities of TrickBot. Fig 8 Precautionary Measures 1) Avoid opening email attachments received from unknown, unwanted or unexpected sources. 2) Open all Microsoft documents, PDF files, etc., received as email attachments only in ‘Protected View’.


Reference by

Stay away from the Fireball Malware – Update your Antivirus

In its latest advisory, the Indian Computer Emergency Response Team (CERT-In) has warned Internet users of the Fireball malware. This post explains what this virus is all about and how you can stay away from it. What is the Fireball Malware? Fireball is a browser hijacker that attacks the victim’s web browser. It is designed to perform the following activities: Generate fraudulent clicks on advertisements to make money for the attacker Make changes to the default web browser and its settings Download and execute other malware on the infected system Spy on the victim and steal their private information How does Fireball malware spread? Fireball is being distributed with freeware programs. So, when a user installs this freeware, they may also install fireball without even knowing about it. What should be done? If you think you may have installed free software in the past and noticed unusual changes in your web browser or computer, then follow these steps: Run an antivirus scan on your computer Uninstall programs which you don’t recognise. Go to Control Panel > Programs Uninstall browser add-ons (plug-ins, extensions) which you don’t recognise or don’t remember installing Reset your Internet browsers How Quick Heal helps? Quick Heal Antivirus successfully detects and blocks the Fireball malware. It detects it as: Pua.Elex AdWare.ELEX PUP.Elex If your PC is not protected, you may install the trial version of Quick Heal and run its Anti-malware scan. Download Quick Heal – 30 day Free Trial Tips to avoid such malware Avoid installing free software, especially those that do not have verified publishers Do not click on pop-up ads when you visit less popular and unknown websites, particularly those that offer free software download Do not click on links or download attachments in unknown or unexpected emails. Keep your antivirus up-to-date Apply all recommended security updates on your computer. Keep Automatic Updates ON If this post is helpful, share this post with your friends and family.

Reference by Quick Heal