Watch out for new browser hijacker – tolmkat

Recently, X-Sec Labs catched a new browser hijacker – tolmkat, which comes from China, it has 32-bit & 64-bit version.

Behavior:

  • Hijack browsers to specific pages, add extra parameters at the end of their shortcut link to let them open specific pages
    • Included browser:
      • iexplore.exe(Microsoft Internet Explorer)
      • chrome.exe(Google Chrome)
      • firefox.exe(Mozilla Firefox)
      • 360se.exe(Qihoo 360 Security Browser)
      • 360chrome.exe(Qihoo 360 Browser)
      • QQBrowser.exe(QQ Browser)
      • 2345Explorer.exe(2345 Browser)
      • 2345chrome.exe(2345 Browser)
      • baidubrowser.exe(Baidu Browser)
      • SogouExplorer.exe(Sogou Browser)
      • Maxthon.exe(Maxthon Browser)
      • liebao.exe(Cheetah Browser)
      • UCBrowser.exe(UC Browser)
  • Get config from server
  • Use kernel driver to protect itself
    • Driver is signed, a valid certificate
      • Signer: 深圳市忆艺科技有限公司
      • Sign date: 2016.6.21

Using X-Sec Antivirus can detect them easily~

X-Sec Antivirus detected tolmkat
X-Sec Antivirus detected tolmkat

Related MD5:

C1D4BBBA4B1BF363AEF1CDEB1C6008F4

5A61DAB6C238733A85785B14A763C5AA

46E9CE826393CEFF27BC3B0D35EF15EF

C87E2DF5D5FC8B5AC456995D09334131

E0288AECF2A061999489FA4644D5A9C0

Common types of Trojan

  • Downloader: Download other malwares
  • Dropper: Drop other malwares
  • Injector: Inject its code into other process(the injected process usually not malicious), let the injected process do something evil
  • InfoStealer: Steal users’ privacy infomation, such as card number, username & password, cookies, etc
  • Ransomware: Encrypt users’ personal files, then ask for some money to decrypt.[How to avoid ransomware infected your computer?]

How to identify phishing site

Phishing site is one of the most popular threats for Internet users. We should not only rely on our security products, it’s very easy to create a new phishing site with few changes on the source codes which hackers already had.

So, it’s time to identify phishing site by ourselves!

  • Domain: We recommend you remember some common domains(Google, Paypal, Apple, etc), before you login & pay, check its domain first!
    • Google Accounts: https://accounts.google.com/
    • Google Docs: https://docs.google.com/
    • Paypal: https://www.paypal.com/signin
    • Apple ID: https://appleid.apple.com/
    • iCloud: https://www.icloud.com/
  • HTTPS: Most of the login/pay pages use HTTPS to secure data-transfer(like the URL I mentioned above, URL begins with “https://”), don’t forget to check it![But now, some of phishing site also uses HTTPS, do not rely on it too much :-)]
  • Content: In some of phishing sites, its image quality is much lower than official site. And its content also has some spell error.
  • Link: Most of the phishing sites don’t maintain all of the links inside its page(usually copy from official site), or just link to itself, it’s also a good way to identify phishing site.

Common types of malware

  • Trojan: They usually obtain system privileges, destory system, steal private user infomation, download/drop other malware
  • Backdoor: Hackers can use this to monitor & control your computer silently.
  • Worm: They spread through networks and replicate themselves on other connected computers, sometimes they steal private user infomation.
  • Virus: Most of them can infect other files, but most of the infected files can be restored to their normal conditions after the virus is cleared.
  • Exploit: They use the leaks of operating system or programs to get high privilege or attack your computer.
  • Hacktool: Hackers can use this to attack your computer, start DDoS attack, scan for leaks in computer, etc.
  • Adware: Usually bundled with free software, pop-up annoying ads, slow down computer speed.
  • PUA: Possibly Unwanted Application, these software usually have not very good reputation, bundled in some silent installers.
  • Macro: Macro viruses are a type of malware stored in Microsoft Office file/template macros. Once this file is opened, the macro will be run, activating the macro virus so it will reside in the Normal template. Afterwards, all auto-saved files will be infected with this macro virus.

How to avoid ransomware infected your computer

Recently, ransomware become one of the most popular threats all over the world, it will encrypt your personal data and ask for some money(usually use Bitcoin). Although the master key of TeslaCrypt has become public and many antivirus vendors have created related decryptor, there are still lots of ransomwares which can not be decrypted.

Here are some tips to avoid ransomware infected your computer & encrypt your personal data.

  • Do not open any attachments inside Email which is from unknown source, Email is still the most used method to spread ransomware.
  • Always keeping your operating system & security software up to date.
  • Always keeping your browser & Adobe Flash Player up to date, some ransomware used exploits of browsers & Adobe Flash Player to infect your computer.
  • Regularly backing up your personal data, it can minimize losses after your computer infected by ransomware accidentally.