Listed below are some of the latest threats that are identified by Trend Micro:
Potentially Unwanted Application
A Potentially Unwanted Application (PUA) is any program that may be unwanted by the user despite the possibility that it was installed with consent. PUAs can pose risks to user's privacy, security and may contribute in consuming computer resources. It may be bundled with other programs that trick unaware users during the installation process with options already allowing the installation of the unwanted program.
Once installed, PUA may display bogus notification, annoying ads and fake messages. To remove unwanted applications, follow the instructions on this Knowledge Base article: How to remove Potentially Unwanted Applications.
Technical Support Scam
A Suspected Technical Support Phone Scam refers to the act of a third party (usually unaffiliated with a software vendor) who may attempt to take advantage of an unsuspecting user's concerns about malware, virus infections and other online threats in order to make money. The most common way that these scammers try and lure their victims is by making unsolicited phone calls or through the use of false advertisements to gain control of one's computer. In many cases the third party may misrepresent themselves or their company by claiming to be the original software vendor or an official support agent or representative.
We recommend to do the following when responding to technical support scams:
- Do not allow someone to take control of your computer especially from suspicious third party support.
- Never provide credit card or financial information to anyone unless you are 100% confident you are working with your software provider. Scammers may utilize phone directories to know your name.
- Whenever you receive a random phone call or see pop-up notifications/advertisements (see picture below) and you are uncertain whether it is from Trend Micro, you are advised to hang up and validate with Trend Micro Technical Support. The only authorized technical support phone numbers for Trend Micro will be located on Trend Micro’s website.
For more information about Suspected Technical Support Phone Scams, refer to this Knowledge Base article: Frequently Asked Questions (FAQs) about Suspected Third Party Technical Support Scams.
WannaCry
Trend Micro is closely monitoring the latest ransomware outbreak that has affected several organizations around the world. This ransomware attack is referred to as WCRY or WannaCry. This ransomware is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “Eternalblue”) associated with the Shadow Brokers tools release. After a computer is infected, WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database files, multimedia and archive files, as well as Microsoft Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given seven days before the affected files are deleted.
For more information about WannaCry Ransomware, refer to this Knowledge Base article: WCRY (WannaCry) Ransomware Attack and Trend Micro Security Protection.
Petya
Petya is an old, existing ransomware that first emerged in 2016. It’s known to overwrite the system’s Master Boot Record (MBR), locking users out of their machines with a blue screen of death (BSoD). In Petya’s case, the BSoD screen is used to show the ransom note. Known to be peddled as ransomware as a service (RaaS) in underground marketplaces, it has undergone several alterations and rehashes since it was first discovered.
This version of Petya employs remote code execution to propagate within the local network using PSEXEC.exe (renamed as DLLHOST.DAT). This Petya variant can also propagate by exploiting EternalBlue.
Petya will drop a copy of itself in the affected machine by using DLLHOST.DAT with certain parameters and enumerated credentials. If unsuccessful, Petya will use WMIC.exe to execute the ransomware.
Petya has a customized version of Mimikatz, a penetration testing tool, embedded within the ransomware that extracts usernames and passwords from the affected system. These stolen credentials are also used to spread Petya to other machines within the local network.
For more information about PETYA Ransomware, refer to this Knowledge Base article: PETYA (2017) Ransomware Attack and Trend Micro Security Protection.
Kovter
Kovter is a Trojan that can be downloaded by other malware/grayware/spyware from remote sites. It connects to certain websites to send and receive information. It deletes the initially executed copy of itself.
For more information about KOVTER, refer to this Knowledge Base article: KOVTER Trojan and Trend Micro Security Protection.
To remove these identified threats, Trend Micro has several free tools that can be used even if the product is not installed in your computer. To know more on how to use these tools, visit this Knowledge Base article: Free anti-malware tools for Home Users.