Virus and Spyware Removal Guides, uninstall instructions

What kind of email is "Large File Send"?

"Large File Send" is an email that our research revealed to be spam. This fake letter operates as a phishing scam targeting email account log-in credentials. It does so by claiming that a file sent to the recipient can only be accessed by following the provided link.

What kind of page is exactofferslink[.]com?

Exactofferslink[.]com is a rogue page discovered by our research team during a routine investigation of untrustworthy websites. This webpage promotes scams and spam browser notifications. Additionally, it can redirect visitors to other (likely untrustworthy/malicious) sites.

Users typically access webpages like exactofferslink[.]com via redirects caused by websites that use rogue advertising networks.

What kind of application is Videos?

While examining the Videos application, we found that it belongs to the ChromeLoader malware family. It is an advertising-supported application that shows unwanted ads. We discovered the Videos app after downloading a VHD file from a deceptive page. It is important to mention that ChromeLoader apps usually come with other potentially malicious apps.

What is Bkqfmsahpt ransomware?

Bkqfmsahpt is a piece of malicious software classified as ransomware. We discovered this program while inspecting new malware submissions to VirusTotal. It is noteworthy that Bkqfmsahpt is part of the Snatch ransomware family.

On our test machine, Bkqfmsahpt encrypted files and changed their filenames. Original titles were appended with a ".bkqfmsahpt" extension, e.g., a file originally named "1.jpg" appeared as "1.jpg.bkqfmsahpt", "2.png" as "2.png.bkqfmsahpt", and so on.

Once the encryption process was finished, the ransomware created a text file titled "HOW TO RESTORE YOUR FILES.TXT" that contains the ransom note. Based on the message within the file, it is evident that Bkqfmsahpt targets companies rather than home users.

What kind of email is "Suspension Notice"?

Our inspection of the "Suspension Notice" email revealed that it is spam operating as a phishing scam. This fake letter is presented as a notification from the recipient's email service provider stating that their account has been marked for suspension. Through a bogus verification process, this scam extracts victims' email log-in credentials (passwords) - thereby allowing the scammers to steal the exposed accounts.

What kind of application is Storage Controller?

Our team downloaded and tested the Storage Controller browser extension and found that it shows unwanted advertisements. Additionally, it can read and change data on all websites. Since Storage Controller shows ads, we classified it as adware. We discovered this app on a deceptive website.

What is IcSpy?

IcSpy is a malicious program designed to infect Android devices. It is an information-stealing malware that primarily targets banking and finance-related data.

The researched variant was disguised as the app of the State Bank of India (SBI); however, other disguises are possible. This version was distributed via smishing (SMS phishing) campaigns. The deceptive texts contained links leading to a phishing page inviting visitors to install the "SBI" application following an information-harvesting process.

Trend Micro researchers have inspected multiple Indian bank-centered smishing campaigns that, in addition to IcSpy, proliferate AxBanker, Elibomi, FakeReward, and IcRAT. However, at the present time, it cannot be stated that these malspam operations are interlinked.

What kind of email is "Scam Victim Compensation Funds"?

We have analyzed this email and found that it was sent by fraudsters who seek to extract money and (or) sensitive information. Scammers aim to convince recipients who have been scammed in the past that they can receive compensation of three million British pounds. It is a scam email that should be marked as spam and deleted.

What is IcRAT?

IcRAT is a Remote Access Trojan (RAT) that targets Android Operating Systems (OSes). RATs are designed to allow attackers to assume control over infected devices.

IcRAT has been notably proliferated through smishing (SMS phishing) campaigns, which go after clients of well-known Indian banks. The deceptive text messages lure users into following a link and downloading this malware by claiming that they will receive a reward from their bank.

According to the research undertaken by Trend Micro analysts, there has been an influx of similar campaigns targeting customers of Indian banks. In addition to IcRAT, the spam operations distributed AxBanker, Elibomi, FakeReward, and IcSpy. At the time of writing, there is no concrete evidence linking these campaigns.

What is Elibomi?

Elibomi is multi-functional malware targeting Android Operating Systems (OSes). This malicious program can perform various actions on infected devices, and it can extract a broad range of sensitive data. This malware has been around since at least 2020, and it has multiple iterations.

Recently, Elibomi has been observed being distributed in smishing (SMS phishing) and email spam campaigns that target Indian users. According to Trend Micro researchers, there are several large campaigns focusing on the users of popular Indian banks. In addition to Elibomi, these criminal operations involve AxBanker, FakeReward, IcRAT, and IcSpy malicious programs. Currently, there is not enough evidence to link these campaigns to a single source.