Malware detected by Autoreporter | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Malware detected by Autoreporter

This page presents the most common types of malware detected by our Autoreporter system during the most recent quarter.

Malware refers to malicious software. The concept includes computer worms, viruses, malware that downloads other types of malware, as well as spyware. Some of the malware detected by the National Cyber Security Centre Finland belongs to malware families, but malware can also be a part or a variant of other malware. The original malware may have changed often enough to have created completely new malware families of its own. Some criminal groups offer Malware-as-a-Service, and the infrastructure they offer runs several different types of malware.

This page presents the most common types of malware detected by our Autoreporter system during the most recent quarter.

What is the Autoreporter system?

We combat malware with the Autoreporter system in cooperation with telecommunications operators. The Autoreporter system receives information from nearly all around the world about malware traffic originating from Finland. The information is transmitted to the telecommunications operators that maintain subscriptions, which in turn notify their customers about the observations. In the statistics, we list 10 of the most common types of named malware detected by the Autoreporter system and reported to us.

This article is updated once per quarter.

What?

Gamarue is a particularly malicious type of malware that has gained a global foothold. It has been detected particularly often in Asia. Gamarue is several years old, and it is one of the most dangerous Windows bots.

What does the activity look like and how is it implemented?

Gamarue allows hackers to control individual computers, steal information and change settings. A botnet is a network of infected computers that communicate with command and control servers.

Botnets are often used in different types of cybercrime. The aim is usually to control infrastructure that is large enough to find sensitive information. Money is made through extortion or by means such as distributing malware or spam. The Gamarue bot is sold as a package under the name “Andromeda Builder”; depending on the price, the package contains different kinds of plugins that make committing crime easier.

Gamarue’s goal is to distribute other malware families. Installing other types of malware expands the scale and capacity of the botnet. Gamarue distributes ransomware, trojans and backdoors in particular.

How to protect yourself from this type of malware?

  • Use antivirus software.
  • Be careful when clicking links, because email messages may contain links or attachments used to distribute malware.
  • Take care of backups.
  • Use a secure password as well as multi-factor authentication, if possible.
  • Do not use the same password for several different services.
  • Ensure that the software and operating system updates are up to date.

What to do after discovering an infection?

Antivirus software usually removes the malware, or at least notifies you that it has taken measures. After clicking a suspicious link, we recommend that you run a full system antivirus scan. Reinstalling the operating system is the most reliable way to get rid of malware. You should also change your passwords, because malware can steal information.

 

What?

The cyber criminal group Avalanche offers phishing and distribution of malware as a service for other criminals. The group uses and distributes several malware families. The sources of observations of the Autoreporter service cannot identify all types of malware by the Avalanche group in online traffic, but they can identify infected computers when they try to contact the command and control servers used by the group.

Avalanche refers to a large, global information network. The network maintains an infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns, for example.

A system infected with malware related to Avalanche may be targeted by malicious activity that can include theft of user IDs and other kinds of sensitive information, such as banking or credit card information. Some types of malware can encrypt files and demand a ransom from the victim to allow them to access the files again. A malware infection may also enable a remote connection to the infected device, and infected devices can be used to carry out distributed denial-of-service attacks.

What does the activity look like and how is it implemented?

Cyber criminals use the Avalanche botnet infrastructure to maintain or distribute different kinds of malware variants to victims. At least 40 major financial institutions have been targeted. Sensitive personal data of the victims may have been stolen, and the compromised systems may have been used in other malicious activities. The activities have included launching denial-of-service attacks or distributing malware variants to the victims’ devices, for instance. The Avalanche infrastructure has also been used in money laundering; people have been recruited to commit fraud by transporting and stealing money or merchandise.

Avalanche uses fast-flux DNS, or a rapidly changing command and control server infrastructure consisting of compromised servers. At least the following malware families can be found in the infrastructure maintained by Avalanche:

  • Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector, Rannoh, Ransomlock.P)
  • URLzone (aka Bebloh)
  • Citadel
  • VM-ZeuS (aka KINS)
  • Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
  • newGOZ (aka GameOverZeuS)
  • Tinba (aka TinyBanker)
  • Nymaim/GozNym
  • Vawtrak (aka Neverquest)
  • Marcher
  • Pandabanker
  • Ranbyus
  • Smart App
  • TeslaCrypt
  • iBanking Trusteer App Trojan
  • Xswkit  

Avalanche is also used as a fast flux botnet; it provides communication infrastructure for at least the following botnets:

  • TeslaCrypt
  • Nymaim
  • Corebot
  • GetTiny
  • Matsnu
  • Rovnix
  • Urlzone
  • QakBot (aka Qbot, PinkSlip Bot)

How to protect yourself from this type of malware?

  • Use antivirus software and keep it up to date.
  • Make sure that the updates, information security updates and operating system are up to date.
  • Check links that arrive via email or in a text message before clicking them; even if a link seems familiar, it may actually be a fraud. A better option is to go directly to the website with the browser or use a bookmark.
  • Change passwords regularly; do not recycle passwords between services.

What to do after discovering an infection?

  • After clicking a suspicious link or detecting abnormal activity, we recommend that you run a full system antivirus scan.
  • There are plenty of tools on the market that can help with detecting and removing malware in particular.
  • Changing passwords is important, if the device has been infected by malware.

What?

The Bamital family of malware intercepts web browser traffic and prevents access to certain security-related websites by modifying the Hosts file concerning name service queries. Bamital variants may also modify certain legitimate Windows files to execute their malicious code. Bamital is often installed via hacked websites that spread malware.

What does the activity look like and how is it implemented?

Bamital has been used for click-fraud associated with advertisements, and its main objective is to intercept and redirect search engine results. Bamital also generates web traffic independent of the user, such as visits to websites. Malware in the Bamital family is automatically spread to visitors to certain websites, without their knowledge, and via malicious files in peer-to-peer (P2P) networks.

The malware is also spread via malicious websites (exploit kit). These websites exploit numerous vulnerabilities in attacks against the victim’s browser to install malware.

Once a Bamital trojan has been installed, the malware will begin to steal data from the victim’s device and prevent the device’s normal operation. The device may also present a ransom demand prompting the victim for ransom money to regain access to data and files on the device.

How to protect yourself from this type of malware?

  • Use a firewall and make sure it is enabled.
  • Make sure that the updates of the operating system, software and antivirus software are up to date.
  • Restrict the rights of user accounts.
  • Be careful when opening email attachments and transferring files.
  • Do not click links in email messages or webpages without checking them thoroughly.
  • Think carefully whether downloading free software on your device is worth it.
  • Use good password practice, do not recycle passwords and enable multi-factor authentication, if possible.

What to do after discovering an infection?

Antivirus software usually removes the malware, or at least notifies you that it has taken measures. After clicking a suspicious link, we recommend that you run a full system antivirus scan. Reinstalling the operating system is the most reliable way to get rid of malware. You should also change your passwords, because malware can steal information.

What?

Hummer is a rootkit, which makes it extremely difficult to remove. After entering the device, Hummer obtains administrator rights, shows the user advertisements and starts to download applications that may be harmful or consume the battery quickly. Hummer also collects personal data and especially banking user ID and password pairs.

This malware is designed for the Android operating system, which means that iPhone users, for instance, do not need to be concerned about Hummer. Even though Hummer has not been found in iPhone’s iOS operating system yet, you should also follow the instructions below when using an iPhone.

What does the activity look like and how is it implemented?

Hummer’s aim is to grant itself administrator rights. This leads to several pop-up advertisements, while unwanted applications, games, adult entertainment applications and malware are installed in the background. If the user removes the applications that have been installed, the Hummer trojan simply reinstalls them again and again.

Based on the latest information, the Hummer family has more than 18 different kinds of root methods. Information security researchers have estimated that Hummer may be one of the most widespread trojans, and at its worst, it may have affected millions of phones.

How to protect yourself from this type of malware?

  • You should never download applications outside the official app store.
  • Do not click links in text messages without checking them first carefully.
  • Also use antivirus software on your phone.
  • Monitor the phone’s operation, such as it potentially slowing down or behaving abnormally.
  • Know the applications on your phone: which applications you need and which you may not need? Can you find any suspicious applications that you have not installed yourself on the application list?
  • Protect your own passwords. Do not keep them written down in places like the phone’s notes or save them as contact information.
  • Do not hand anything over to people you do not know.
  • Do not share user IDs or passwords in messages or over the phone.

What to do after discovering an infection?

Removing the Hummer malware is extremely difficult. Hummer can take over the device so completely that normal antivirus tools cannot remove it. What’s worse, not even restoring factory settings will remove this malware. The phone should be restored from a clean copy of the system, nothing less will be sufficient.

What?

Prizmes is a family of trojan malware that affects Android devices. Trojans carry out actions without the user’s permission. They include actions such as remote access, capturing keyboard input, collecting system information, downloading files, downloading other types of malware on the infected system, denial-of-service attacks and running or terminating processes.

What?

Mirai is malware that infects smart devices and home routers. Mirai uses smart devices to build a remotely controlled botnet, meaning a network of zombie devices. Such botnets are often used to launch distributed denial-of-service attacks. In late 2016, a Mirai botnet brought down large parts of the internet, many popular services slowed down significantly and the incident affected millions of users.

What does the activity look like and how is it implemented?

Mirai scans the internet, looking for IoT devices that use ARC processors. The devices may be anything from agricultural equipment, irrigation systems, surveillance cameras or cars to smart fridges. ARC processors use a stripped-down version of the Linux operating system. If the default user ID and password have not been changed, Mirai can log in to the device and infect it.

Mirai’s code has changed over time to create many different variants, such as Okiru, Satori, Masuta and PureMasuta. IoTrooper and Reaper can also be traced back to Mirai. Reaper can affect a large number of device developers, and its ability to control the parts of its botnet is much more highly developed.

How to protect yourself from this type of malware?

  • Make sure that your updates are up to date.
  • Change default passwords.
  • Restrict access (web address visible to the internet, use the home network with NAT enabled – often subject to a fee for home users)

What to do after discovering an infection?

Detecting the infection yourself is not easy; usually the operator notifies you that it has detected that the device in question is a part of a botnet.

What?

This malware is targeted at Network Attached Storage (NAS) devices manufactured by QNAP. The malware is targeted specifically at the devices of the manufacturer in question, and it can carry out a wide variety of harmful measures in the infected device. The malware can be removed from the device, and the device manufacturer has an update available to protect devices.

What does the activity look like and how is it implemented?

Investigating the domain names and calls related to the observations made it possible to open up the malware’s operating logic. The original method of penetrating the device is unknown, but in this context, the attacker’s source code is injected into the device’s operating system code and run as a part of the device’s normal operations. After this, the device is compromised by the malware. The malware retrieves more malicious code from the DNS addresses it generates.

The format of the call is:

  • “HTTP GET https://<generated address>/qnap_firmware.xml?t=<timestamp>”; this call is a very strong indication for identifying infected devices.
  • The additional material retrieved is executed in the operating system with administrator rights. At this stage, the malware carries out the following actions, among others:
  • Edits the scheduled jobs and operations run during startup in the operating system (cronjob, init scripts).
  • Prevents updates from default settings by overwriting the update source completely.
  • Prevents running QNAP’s MalwareRemover function.
  • Steals IDs and passwords related to using the device and sends them to the command and control server.
  • The malware also has a modular ability to receive new components to carry out other measures in addition to the above operations.
  • The calls to the command and control server remain to be run on a schedule.

https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices

How to protect yourself from this type of malware?

  • Do not use default passwords and change the default admin user IDs.
  • Also change the QNAP ID password.
  • Use a strong database root password.
  • Remove unknown or suspicious user accounts.
  • Enable IP and user account access protection.
  • Disable SSH and Telnet connections, if you do not need to use these services.
  • Disable the Web Server, SQL server and phpMyAdmin applications, if they are not needed.
  • Remove malfunctioning, unknown or suspicious applications.
  • Avoid using the default ports (ports 22, 443, 80, 8080 and 8081).
  • Disable Auto Router Configuration and Publish Services and restrict access to myQNAPcloud.

What to do after discovering an infection?

Restore factory settings first. After this, updating the firmware and verifying that the updates were successful is recommended. Keep in mind that in addition to destroying the malware, these measures also destroy the data on the device.

What?

Nymaim is a Trojan downloader, meaning malware that downloads and executes other types of malware in the infected systems. This malware has often been used to install ransomware. Nymaim displays a customised lockscreen while downloading other malware. Nymaim spreads through exploit kits and malvertising (malicious advertising).

What does the activity look like and how is it implemented?

Nymaim is distributed through exploit kits or files. The filenames are usually linked to popular search terms that are also downloaded from other malicious sources. Nymaim shows itself on the device as pop-up advertisements, among other things. The operating system may also slow down significantly, and the internet browser may display an unusual number of advertisements.

If Nymaim is launched on a device, it attempts to lock the screen or download other types of malware. If the user is located in Europe or North America, the malware downloads a lockscreen customised for the user’s country. The lockscreen displays a ransom demand. If the user is located in a country without a customised lockscreen, Nymaim downloads a second-stage component that can be used later to download new malware.

How to protect yourself from this type of malware?

  • Think carefully where to download applications from and assess whether the download is safe. Malware may spread through free software.
  • Do not click links without checking them first. Links in email messages can be used to distribute harmful content.
  • Think twice before downloading email attachments.
  • Consider carefully from where and what software you download, install and run on your device.
  • Make sure that the operating system and the applications have the latest updates installed.
  • Use antivirus software and keep it up to date.
  • Antivirus software usually removes the malware, or at least notifies you that it has taken measures.

What to do after discovering an infection?

  • After clicking a suspicious link or detecting abnormal activity, we recommend that you run a full system antivirus scan.
  • There are plenty of tools on the market that can help with detecting and removing malware in particular.
  • Changing passwords is important, if the device has been infected by malware.

What?

Matsnu is malware that can carry out the measures determined by a criminal party according to instructions from a remote server. It also changes certain settings on the computer. This malware can download and execute code in the infected system. The downloaded code can potentially encrypt files or disks and steal sensitive information.

What does the activity look like and how is it implemented?

Backdoors make it possible to carry out commands, such as downloading and executing files and updating the malware as well as its command and control server. The ability to use commands to lock or unlock a computer for ransom is characteristic of Matsnu.

Certain registers are modified upon execution to enable copies being run every time the system starts. Some processes are also disabled, such as the registry editor and task manager. Certain registers are deleted completely so that the user cannot start the computer in safe mode.

How to protect yourself from this type of malware?

  • Use a firewall and make sure it is enabled.
  • Make sure that the updates of the operating system, software and antivirus are up to date.
  • Restrict the rights of user accounts.
  • Be careful when opening email attachments and transferring files.
  • Do not click links in email messages or webpages without checking them thoroughly.
  • Think carefully whether downloading free software on your device is worth it.
  • Use good password practice, do not recycle passwords and enable multi-factor authentication, if possible.

What to do after discovering an infection?

  • Kill the infected processes (processes that generate network traffic outside).
  • Check the registry key entries to find out the malware’s file path in the system.
  • Remove the file at the end of the file path.
  • Remove certain registry key entries.

What?

A phishing text message in Finnish or English containing a link to a website uses the pretext of a package and its recipient. The message includes statements such as “Your package is on its way” or “You have 1 new message”. The message includes a link to a page suggesting that you download an application. The download link on the page offers an .apk installation package for Android devices. The installation package is not an official application; instead, it contains malware. The installation package does not work for iPhone.

What does the activity look like and how is it implemented?

The page distributing malware may instruct you to allow the installation of unknown applications. This makes it possible to install applications from outside the app store on an Android device. You must not allow the installation of unknown applications, because it makes it possible to install harmful applications by bypassing the official app store.

Passwords and other information, for instance, can be stolen from devices infected by malware. Infected devices are also used to spread the malware further. The malware may steal contact information from the infected device; the information is then used to distribute the malware. The malware is targeted at Android devices, meaning that the actual malware cannot infect an iPhone, for example. However, other fraudulent sites, such as subscription scams, may also open via the link in the text message. As a rule, you should not open links in suspicious messages on any device.

How to protect yourself from this type of malware?

Among other things, the malware may steal passwords and other information on the device. For this reason, it is important to protect your own user accounts with multi-factor authentication and change the passwords of services used with a device infected by malware (such as email and social media) so that the information stolen by the malware cannot be used by criminals.

What to do after discovering an infection?

  • Restore the device to factory settings.
  • When restoring from a backup, make sure that the backup used to restore the device was created before the malware infection.
  • If you have used a banking application or handled credit card information on the infected device, contact your bank.
  • File a report of an offence on any monetary losses.
  • Change the passwords to the services that you have used with your device. The malware may have stolen your passwords if you have logged in to the services after it was installed.
  • Contact your operator, because messages subject to a fee may have been sent from your subscription.

What?

The Ranbyus trojan may carry out malicious tasks, such as downloading and executing other malware. Ranbyus also receives requests from a command and control server and sends back the desired information and telemetry. This malware can also update or remove itself. In addition to these, it can also steal login IDs and password information, log the user’s keystrokes, participate in distributed denial-of-service attacks and even lock or encrypt the contents of the device for ransom.

What does the activity look like and how is it implemented?

The Ranbyus can show signs of itself in many different ways. It may prevent the user from starting the computer in safe mode. Using the Windows registry editor or opening the Windows task manager may be impossible. Certain registry entries may be modified, or some of them may be deleted. Significant increase in both network traffic and file system activity. The device may attempt to contact known malicious IP addresses. Randomly named new files and folders appear in the folder directory.

https://www.fortiguard.com/encyclopedia/botnet/7630055

How to protect yourself from this type of malware?

  • Use antivirus software and keep it up to date.
  • Make sure that the updates, information security updates and operating system are up to date.
  • Check links that arrive via email or in a text message before clicking them; even if a link seems familiar, it may actually be a fraud. A better option is to go directly to the website with the browser or use a bookmark.
  • Change passwords regularly; do not recycle passwords between services.

What to do after discovering an infection?

  • After clicking a suspicious link or detecting abnormal activity, we recommend that you run a full system antivirus scan.
  • There are plenty of tools on the market that can help with detecting and removing malware in particular.
  • Changing passwords is important, if the device has been infected by malware.

What?

Tinba is a type of malware that attempts to infect a terminal device and gain access to the user’s online bank or other accounts that contain funds to steal the user’s money. The trojan called Tinba or Tiny Banker is focused on attacks against online banks especially in Russia.

Tinba is one of the smallest known trojans. Tinba’s source code has been published online, and new variants of the malware appear regularly.

What does the activity look like and how is it implemented?

In a system infected by Tinba, the browser may behave abnormally or the system may crash. Typically, an unexpected pop-up window is shown on a bank’s website with a request to do something out of the ordinary, such as enter the user’s sensitive information in the pop-up.

If Tinba has infected the device and the user attempts to log in to a bank targeted by the malware, Tinba’s web injections are activated. Depending on the targeted bank, victims are shown misleading messages or online forms requesting personal data, login details or a money transfer. In one of the versions of the message, the user is told that money has been accidentally transferred to the user’s account and it must be returned immediately.

Tinba uses several different methods to infect systems and browsers, storing data coming from and to the websites of banks. When a user logs in to a bank’s website, the malicious pop-up window appears, requesting login details using the original logo and address of the bank to mislead the user.

Infected websites may distribute Tinba; the victims have been lured to the site with phishing email messages or fraudulent advertising. When a vulnerable system executes the Tinba malware, it is copied under the name bin.exe in the %AppData% folder. Some versions of Tinba end up in other folders; the variants are named based on the information of the infected system. Tinba encrypts its memory usage to avoid detection.

When the infected system is started again, bin.exe is executed and Tinba gains a secure foothold in the system. Tinba can edit browsers such as Firefox and Explorer, prevent warning messages from being displayed and display HTTP content on HTTPS websites without prompts. Tinba targets e.g. the Windows processes explorer.exe and svchost.exe.

How to protect yourself from this type of malware?

Tinba typically infects a device through downloads of free software, infected links in phishing messages or attachments. Tinba can also spread if the user clicks a pop-up window or downloads content from the dark web or torrent files.

Bank trojans are a sophisticated type of malware; they wait and hide in the infected system until the user attempts to log in to an online bank. Tinba uses a keylogger to steal the username and password of the account and sends them to criminals.

  • Do not click email links without checking them first, and do not execute files or download attachments without considering their purpose or if they are necessary.
  • You should be careful when encountering unusual requests or content that arrives via email, and you should not be careless enough to send your own sensitive personal data via email.
  • There are plenty of tools on the market that can help with detecting and removing malware in particular.
  • Users should check regularly if they get unusual messages, pop-up windows or requests when logging in to an online bank or other financial services.
  • If a site causes suspicions, you should also check the appearance or address of the website in case of changes.
  • You should only download mobile applications from trusted sources, and never from outside the app store.
  • Make sure that backups exist and are up to date; bank trojans can also distribute ransomware.

What to do after discovering an infection?

Removing Tinba from the system is challenging, because it injects malicious code in real processes that are in use. There are two different methods commonly used to remove Tinba. Most anti-malware companies can remove the Tiny Banker malware. A full system restore from backups made at a time before the malware infection can also be used. Choosing the restore point can be challenging, because a Tinba infection may have occurred a long time before its activation.

What?

Qrypter is a Java-based Remote Access Trojan (RAT) that uses a TOR (The Onion Router) -based command and control (C&C) server structure. The first observations of the Qrypter malware started in June 2016.

Qrypter is a Malware-as-a-Service. The malware is particularly commonly used in combination with AdWind and jRAT. There are several variants of Qrypter in circulation. Qrypter is also known as: Qarallax, Quaverse, QRAT and Qontroller.

What does the activity look like and how is it implemented?

The malware is a part of the Malware-as-a-Service platform of the criminal group “QUA R&D”.

The malware is often spread via malicious email campaigns consisting of a few hundred messages. The recipient is asked to open an attachment that claims to provide more information about products, services, terms of payment or delivery times.

When the malware is launched in the victim’s system, two VBS files are dropped into the system and run in the %Temp% folder; the filenames are randomised. These scripts gather information about the firewall and antivirus tools installed on the computer.

Qrypter is a plugin-based backdoor that offers a broad range of capabilities for the attacker: a remote connection, webcam access, an opportunity to install new files and much more. The criminal group sells the remote access trojan, and they even offer support for it. It seems that keeping the malware undetectable by antivirus software is one of the criminal group’s most important goals, which it has partially reached.

How to protect yourself from this type of malware?

  • Use antivirus software.
  • Be careful when clicking links, because email messages may contain links or attachments used to distribute malware.
  • Take care of backups.
  • Use a secure password as well as multi-factor authentication, if possible.
  • Do not use the same password for several different services.
  • Ensure that the software, antivirus and operating system updates are up to date.
  • A user account without administrator rights should be used for everyday computer usage.

What to do after discovering an infection?

The data network, proxy servers and firewall logs should be monitored so that suspicious traffic or activities can be detected. User accounts that have been used on infected machines should be initialised on a clean machine.

Page was last updated