Virus and Spyware Removal Guides, uninstall instructions

What kind of page is reportyouridentity[.]site?

While investigating reportyouridentity[.]site, we found that it is a deceptive page designed to trick visitors into believing that their computers are infected. Also, reportyouridentity[.]site asks for permission to show notifications. Our team discovered reportyouridentity[.]site while inspecting websites that use rogue advertising networks.

What kind of email is "DHL Shipping Document/Invoice Receipt"?

Our analysis of the "DHL Shipping Document/Invoice Receipt" email revealed that it is fake. This spam letter is presented as a notification from DHL - a legitimate logistics, courier, delivery, and express mail company. This mail attempts to trick recipients into disclosing their email account log-in credentials through a bogus invoice document.

What is TONEINS?

TONEINS is the name of a backdoor malware. This software is designed to open a "backdoor" for additional malicious components or programs into compromised systems.

TONEINS, alongside TONESHELL and PUBLOAD, have been observed being distributed in cyberespionage campaigns particularly active in Asia, namely Myanmar, Philippines, Japan, Taiwan, and other countries.

These operations target a wide variety of spheres; most heavily affected are governmental and legal entities, but large-scale campaigns were also leveraged against education, academics, research, and various organizations associated or working with the Myanmar government.

The noted spam emails and the infectious documents proliferated through them - held content associated with the targeted sphere, global topics, geopolitics, controversies, or even pornography. Specifically TONEINS was heavily distributed in virulent archives files delivered via malspam.

This malicious activity is linked to the Earth Preta (aka Bronze President, Mustang Panda) group. In addition to the aforementioned malware, this group is known to employ Cobalt Strike and PlugX.

What kind of malware is Uyit?

Uyit is ransomware that encrypts files, appends the ".uyit" extension to filenames, and drops a ransom note (the "_readme.txt") file. Uyit is one of the Djvu ransomware variants. We discovered it while checking the VirusTotal page for recently submitted malware samples. It is common for Djvu ransomware to be distributed with information stealers like Vidar and RedLine.

An example of how Uyit renames files: it changes "1.jpg" to "1.jpg.uyit", "2.png" to "2.png.uyit", and so forth.

What kind of page is timespace[.]top?

Timespace[.]top is a rogue page that our researchers found while inspecting dubious websites. This webpage promotes spam browser notifications and can redirect visitors to other (likely deceptive/malicious) sites.

Most users access pages like timespace[.]top via redirects caused by sites using rogue advertising networks, spam notifications, intrusive ads, or installed adware.

What kind of malware is Trigona?

Trigona is ransomware that encrypts files and appends the "._locked" extension to filenames. Also, it drops the "how_to_decrypt.hta" file that opens a ransom note. An example of how Trigona renames files: it renames "1.jpg" to "1.jpg._locked", "2.png" to "2.png._locked", and so forth.

It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.

What kind of malware is Bazek?

Bazek is ransomware that our team discovered while checking the VirusTotal site for recently submitted malware samples. We found that it encrypts files, appends the ".bazek" extension to filenames, and drops the "README.txt" file containing a ransom note.

Our team also learned that there are two Bazek variants. Another one displays a ransom note in a pop-up window instead of dropping a text file. An example of how Bazek modifies filenames: it renames "1.jpg" to "1.jpg.bazek", "2.png" to "2.png.bazek", and so forth.

What kind of application is IdentityStack?

While analyzing the IdentityStack application, our team found that it shows annoying advertisements and can read sensitive information. Thus, we classified IdentityStack as adware. This application was discovered while inspecting deceptive websites offering to update supposedly outdated software and similar sites.

What is LilithBot?

LilithBot is a highly versatile piece of malicious software. There are several variants of this malware, and it primarily operates as a botnet, cryptominer, clipper, and stealer.

Research by Zscaler suggests that the developers of LilithBot are the same ones behind the Eternity malware family. Both LilithBot and Eternity are being offered as MaaS (Malware-as-a-Service). Therefore, the proliferation and usage of these programs can vary drastically.

What kind of malware is Uyro?

Uyro is one of the Djvu ransomware variants designed to encrypt files, drop a ransom note, and append its extension to filenames. Uyro drops the "_readme.txt" file and appends ".uyro" extension to filenames. We discovered Uyro ransomware while examining malware samples submitted to VirusTotal.

An example of how Uyro modifies filemaes: it renames "1.jpg" to "1.jpg.uyro", "2.png" to "2.png.uyro", and so forth. It is important to mention that Djvu ransomware is often distributed with RedLine, Vidar, and other information stealers.