Virus and Spyware Removal Guides, uninstall instructions

What is MLF ransomware?

Our research team discovered the MLF ransomware-type program while inspecting new submissions to VirusTotal. Additionally, MLF belongs to the Phobos ransomware family.

Once a sample of this ransomware was executed on our test machine, it encrypted files and altered their filenames. The titles of affected files were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".MLF" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.id[9ECFA84E-3377].[DataRecovery1@cock.li].MLF", etc.

Afterwards, MLF created two files - "info.hta" (pop-up) and "info.txt" - and dropped them onto the desktop. These files contained the ransom notes.

What is TigerRAT?

TigerRAT is a Remote Access Trojan (RAT). This malware operates by allowing attackers to remotely access and control infected machines. RATs are notoriously multifunctional programs, which can be variously used and cause a broad range of serious threats.

There is proof that TigerRAT was developed and is used by the Lazarus group, a threat actor that is considered to be under the sponsorship of the North Korean state.

What is MagicRAT?

MagicRAT is a malicious program classified as a RAT (Remote Access Trojan). This trojan is written C++ programming language and uses the Qt Framework; the latter is an uncommon choice in malware development. RATs are designed to enable remote access/control over infected devices.

There is strong evidence suggesting that MagicRAT was developed by the Lazarus group, which is believed to be a North Korean state-sponsored threat actor.

What is TabX?

Our research team discovered a website promoting the TabX browser extension while inspecting dubious pages. After analyzing this piece of software, we determined that it operates as a browser hijacker promoting the newtaber.com fake search engine.

What is Coinlocker ransomware?

While investigating new submissions to VirusTotal, we discovered the Coinlocker ransomware-type program. Malware within this classification encrypts data and demands payment for decryption.

After we executed a sample of Coinlocker on our test machine, it encrypted files and appended their filenames with a ".exe" extension (not to be confused with the Windows executable file format). For example, a file named "1.jpg" appeared as "1.jpg.exe", "2.png" as "2.png.exe", etc.

Once the encryption process was finished, Coinlocker ransomware dropped a ransom note - "bitdecrypter.txt" - on the desktop.

What is Tail doing?

Our researchers discovered the "Tail doing" browser extension while investigating suspicious software endorsing websites. After analyzing this extension, we determined that it is a browser hijacker. Tail doing modifies browsers to promote the tailsearch.com fake search engine. Additionally, this browser extension collects private data.

What kind of email is "You Have 3 Encrypted Documents"?

After inspecting the "You Have 3 Encrypted Documents" email, we determined that it is spam. Letters of this spam campaign operate as phishing scams. By claiming that recipients have been sent secured files, the mail attempts to trick users into disclosing their email account log-in credentials.

What kind of page is ourwowspot[.]com?

Our research team found the ourwowspot[.]com browser notification spam promoting webpage while inspecting untrustworthy sites. In addition to attempting to deceive visitors into allowing it to deliver notifications, this page can also redirect them to other (likely untrustworthy/malicious) websites.

Users typically access ourwowspot[.]com and similar sites via redirects caused by webpages that use rogue advertising networks.

What is Bobik?

Bobik is a piece of malicious software classified as a RAT (Remote Access Trojan). These trojans are designed to enable remote access/control over infected machines. Bobik can perform various malicious activities, which include - causing chain infections, stealing data, and adding compromised devices into a botnet to launch DDoS attacks.

This malware has been actively used in geopolitically-motivated assaults against Ukraine and its allies. Bobik-enabled DDoS attacks are cybercrime elements in the Ukrainian war.

This activity has been linked with a little-known pro-Russian hacker group called NoName057(16); further verified by the evidence gathered by Avast's researchers - such as the group's bragging on Telegram coinciding with Bobik's DDoS attacks. However, Avast has also estimated that this hacker group's success rates range from 20-40%.

What kind of page is stream-trust[.]xyz?

Our researchers found the stream-trust[.]xyz rogue page during a routine investigation of dubious websites. This webpage is designed to push browser notification spam and redirect visitors to different (likely deceptive/malicious) sites.

Users typically enter stream-trust[.]xyz and similar websites via redirects caused by pages using rogue advertising networks.