Trojans

Bitcoin mining is a process that involves validating transactions and maintaining the integrity of the Bitcoin blockchain. Miners use complex machinery and computational power to solve cryptographic puzzles, and the first to solve a puzzle is rewarded with Bitcoin. This process is essential for the functioning of the Bitcoin network, but it has also been criticized for its environmental impact due to high energy consumption. However, the term BitCoinMiner has also been associated with a type of malware, often referred to as RiskWare.BitCoinMiner or Trojan.BitCoinMiner. This malware is used by threat actors to hijack the computational resources of infected computers to mine cryptocurrencies without the user's consent. The most common infection method for unsolicited Bitcoin miners are bundlers, but there are many other infection methods in use.

The TrickMo Banking Trojan is a sophisticated piece of malware that targets Android devices, primarily for the purpose of financial fraud. It was initially identified in September 2019 and has since evolved with enhanced functionalities, including the ability to steal screen content, download runtime modules, and employ overlay injection techniques. TrickMo is an Android variant of the TrickBot banking Trojan, which was first identified in 2016. TrickBot was originally designed as a banking Trojan to steal financial data. Over time, it has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. TrickMo is highly adaptable and sophisticated, with diverse capabilities. Its primary purpose is to engage in financial fraud by stealing sensitive banking information and credentials from users. This includes employing techniques like overlay attacks, screen content theft, and more.

Trojan:O97M/DPLink.A is a type of Trojan horse malware that targets Microsoft Office documents. It is a dangerous cyber threat that can perform a number of harmful actions on your computer, including tracking users, swindling personal information, connecting to remote C&C servers, and installing other malware on the system. It is known for its ability to evade detection by antivirus software, as it uses various obfuscation techniques to hide its malicious code. Removing Trojan:O97M/DPLink.A can be a complex process due to its ability to hide its files in various locations throughout the disk and make changes in the registry, networking configurations, and Group Policies. Therefore, it is recommended to use a specialized anti-malware tool for this purpose. Here is a step-by-step guide to remove Trojan:O97M/DPLink.A.

GoPIX is a malicious software specifically engineered to compromise the Pix instant payment platform. This malware functions as a clipper, redirecting transactions conducted through the Pix platform. Additionally, it operates as a conventional clipper, extending its scope to include cryptocurrency transactions. GoPIX has been in circulation since at least December 2022. Given that Pix is a payment platform established and overseen by the Central Bank of Brazil (BCB), its user base predominantly comprises Brazilian citizens. Consequently, GoPIX's activities are primarily confined to the Brazilian landscape. The GoPIX malware is a typical clipboard stealer that steals Pix "transactions" used to identify payment requests and replaces them with a malicious (attacker controlled) one which is retrieved from the C2. The malware also supports substituting Bitcoin and Ethereum wallet addresses. However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine.

StripedFly is a highly sophisticated, cross-platform malware platform that has infected over a million Windows and Linux systems over a span of five years. It was initially misclassified as a Monero cryptocurrency miner, but further investigation revealed its true nature as an advanced persistent threat (APT) malware. StripedFly is a modular framework that can target both Windows and Linux systems. It has a built-in Tor network tunnel for communication with its command-and-control (C&C) server and uses trusted services like Bitbucket, GitLab, and GitHub for update and delivery mechanisms. The malware operates as a monolithic binary executable with pluggable modules, giving it operational versatility often associated with APT operations. These modules include configuration storage, upgrade/uninstall, reverse proxy, miscellaneous command handler, credential harvester, repeatable tasks, recon module, SSH infector, SMBv1 infector, and a Monero mining module. The presence of the Monero crypto miner is considered a diversion attempt, with the primary objectives of the threat actors being data theft and system exploitation facilitated by the other modules.

Lumar Stealer is a lightweight stealer-type malware written in the C programming language. It is designed to steal information such as Internet cookies, stored passwords, and cryptocurrency wallets. Lumar was first noted being promoted on hacker forums in July of 2023. The malware infiltrates systems and starts gathering relevant device data such as the device name, CPU, RAM, and keyboard layout. It primarily targets information stored on browsers, extracting Internet cookies and login credentials (usernames, IDs, email addresses, passwords, passphrases, etc.). It also targets Telegram Messenger sessions and collects information related to cryptocurrency wallets. Lumar has grabber capabilities, meaning it can download files from victims' desktops. Formats of interest include DOC, TXT, XLS, RDP, and JPG. If you suspect that your computer is infected with Lumar Stealer, it is strongly advised to use a dependable antivirus software to perform regular system scans and to remove detected threats and issues.

AIRAVAT RAT (Remote Access Trojan) is a multifunctional Android malware that targets Android devices, allowing attackers to remotely access and control the victim's device. It is designed with a GUI-based web panel that does not require port forwarding. Some of its features include: reading all files of internal storage, downloading media from the victim's device, retrieving system information, installed applications, SMS, call logs, and contacts, sending SMS and accessing notifications, keylogging, gaining admin permissions, displaying phishing pages to steal credentials through notifications. AIRAVAT RAT operates in the background, making it difficult to detect. It automatically starts when the device is restarted and when a new notification is received.

Phoenix Backdoor is a type of malware specifically designed to target Android users. It is a malicious software that secretly gains access to a user's device, potentially compromising its security and privacy. The primary goal of Phoenix Backdoor is to infiltrate and control infected devices covertly, allowing cybercriminals to perform various nefarious activities. Once Phoenix Backdoor has infected a device, it can perform a range of malicious functions, such as: copying messages sent or received, harvesting photos and other personal data, recording phone calls, secretly filming users through the device's camera, activating the microphone to record conversations.