Trojans

GoPIX is a malicious software specifically engineered to compromise the Pix instant payment platform. This malware functions as a clipper, redirecting transactions conducted through the Pix platform. Additionally, it operates as a conventional clipper, extending its scope to include cryptocurrency transactions. GoPIX has been in circulation since at least December 2022. Given that Pix is a payment platform established and overseen by the Central Bank of Brazil (BCB), its user base predominantly comprises Brazilian citizens. Consequently, GoPIX's activities are primarily confined to the Brazilian landscape. The GoPIX malware is a typical clipboard stealer that steals Pix "transactions" used to identify payment requests and replaces them with a malicious (attacker controlled) one which is retrieved from the C2. The malware also supports substituting Bitcoin and Ethereum wallet addresses. However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine.

StripedFly is a highly sophisticated, cross-platform malware platform that has infected over a million Windows and Linux systems over a span of five years. It was initially misclassified as a Monero cryptocurrency miner, but further investigation revealed its true nature as an advanced persistent threat (APT) malware. StripedFly is a modular framework that can target both Windows and Linux systems. It has a built-in Tor network tunnel for communication with its command-and-control (C&C) server and uses trusted services like Bitbucket, GitLab, and GitHub for update and delivery mechanisms. The malware operates as a monolithic binary executable with pluggable modules, giving it operational versatility often associated with APT operations. These modules include configuration storage, upgrade/uninstall, reverse proxy, miscellaneous command handler, credential harvester, repeatable tasks, recon module, SSH infector, SMBv1 infector, and a Monero mining module. The presence of the Monero crypto miner is considered a diversion attempt, with the primary objectives of the threat actors being data theft and system exploitation facilitated by the other modules.

Lumar Stealer is a lightweight stealer-type malware written in the C programming language. It is designed to steal information such as Internet cookies, stored passwords, and cryptocurrency wallets. Lumar was first noted being promoted on hacker forums in July of 2023. The malware infiltrates systems and starts gathering relevant device data such as the device name, CPU, RAM, and keyboard layout. It primarily targets information stored on browsers, extracting Internet cookies and login credentials (usernames, IDs, email addresses, passwords, passphrases, etc.). It also targets Telegram Messenger sessions and collects information related to cryptocurrency wallets. Lumar has grabber capabilities, meaning it can download files from victims' desktops. Formats of interest include DOC, TXT, XLS, RDP, and JPG. If you suspect that your computer is infected with Lumar Stealer, it is strongly advised to use a dependable antivirus software to perform regular system scans and to remove detected threats and issues.

AIRAVAT RAT (Remote Access Trojan) is a multifunctional Android malware that targets Android devices, allowing attackers to remotely access and control the victim's device. It is designed with a GUI-based web panel that does not require port forwarding. Some of its features include: reading all files of internal storage, downloading media from the victim's device, retrieving system information, installed applications, SMS, call logs, and contacts, sending SMS and accessing notifications, keylogging, gaining admin permissions, displaying phishing pages to steal credentials through notifications. AIRAVAT RAT operates in the background, making it difficult to detect. It automatically starts when the device is restarted and when a new notification is received.

Phoenix Backdoor is a type of malware specifically designed to target Android users. It is a malicious software that secretly gains access to a user's device, potentially compromising its security and privacy. The primary goal of Phoenix Backdoor is to infiltrate and control infected devices covertly, allowing cybercriminals to perform various nefarious activities. Once Phoenix Backdoor has infected a device, it can perform a range of malicious functions, such as: copying messages sent or received, harvesting photos and other personal data, recording phone calls, secretly filming users through the device's camera, activating the microphone to record conversations.

CraxsRAT is a highly dangerous Android Remote Access Trojan (RAT) that allows a threat actor to remote control an infected device from a Windows computer. The malware is highly customizable and versatile, with several versions available, and can infiltrate systems with minimal permissions, raising little suspicion. CraxsRAT can monitor accessed websites and force-open specific pages, causing infection chains either by downloading and executing payloads or by tricking victims into doing so themselves via force-opened deceptive sites. The malware can investigate call logs, read, remove, and add contacts, and monitor accessed websites. CraxsRAT can also bypass Google Play protect, live screen view, and has a shell for command execution. The malware is generated using a builder, which comes with options to customize and obfuscate the payload, choose an icon, the app name, and the features and permissions that need to be activated once installed on the smartphone. The malware can cause infection chains either by downloading and executing payloads or by tricking victims into doing so themselves via force-opened deceptive sites.

IDP.Generic is a generalized code name used by anti-malware software for labeling and therefore quarantining possibly malicious activity. IDP.Generic is not tied to any specific file – a plethora of different files can be assigned with this detection component by your antivirus. In the majority of cases, such IDP.Generic detections are often false positives and do not pose any real threat to users. A false positive is simply when anti-malware software mistakenly identifies some harmless or legitimate file as malicious and blocks its operation or even deletes it completely. Many users report that false flagging happens with files of video games or other third-party software. Usually, it is Avast and AVG engines that tend to detect IDP.Generic as false positive the most. In this case, it is enough to add the file to your antivirus whitelist and continue using the associated program without problems. However, despite many detections like this being nothing to worry about, there are of course cases when the detected file(s) is actually malicious. Make sure that the software/file you downloaded is totally legitimate and was not downloaded from some unofficial and compromised resource.

Crackonosh is the name of a trojan stealthily distributed inside cracked software installers. Upon successful installation, its purpose is to inject the XMRIG miner and start mining Monero cryptocurrency for the threat actors. As of now, statistics show that this miner has helped cybercriminals mine the amount of Monero worth roughly two million dollars. A couple of words on how the trojan does its malicious job: After the installer of cracked software is launched, it places an installer and script onto the targeted system, which then changes the Windows Registry settings to turn off hibernation mode and activate Crackonosh in Safe Mode at the next system start-up. This way, the trojan deactivates Windows Update and Windows Defender and is even able to uninstall third-party antivirus programs (e.g., Avast, Bitdefender, Kaspersky, McAfee, and Norton) in order to reduce the chance of getting detected and blocked. To conceal its presence, it erases system log files, serviceinstaller.msi files, and maintenance.vbs files. As a result, some infected systems may display error messages indicating issues with the aforementioned files. In addition, Crackonosh may also halt Windows Update services and substitute the Windows Security icon with a fake green system tray icon. The main symptoms that should attract your attention and lead you to suspect something is wrong with your system are usually slower and laggy PC performance, increased CPU/GPU/RAM usage, overheating, unexpected crashes, and other related issues. Thus, if any of these symptoms are present, make sure to read our guide below and eliminate the potential crypto-mining trojan from your computer.