Virus and Spyware Removal Guides, uninstall instructions

What kind of email is "Stalled Funds - United Bank Of Africa"?

"Stalled Funds - United Bank Of Africa" is a phishing email targeting recipients' personally identifiable and financial information. The letter aims to extract the highly sensitive data by falsely claiming that a nonexistent payment to the recipient, which has been unjustly stalled, will be transferred to them without further issue.

It must be emphasized that the information provided by this email is fake, and this mail is in no way associated with the actual United Bank for Africa or any other real individuals or entities.

What kind of malware is JanelaRAT?

JanelaRAT is a Remote Access Trojan (RAT). It is a piece of sophisticated malicious software designed to enable remote access and control over compromised machines.

JanelaRAT has been observed being implemented in attacks targeting Latin American banking and financial institutions. Based on the use of Portuguese in the malware's code, it is highly likely that its developers are speakers of this language.

What kind of malware is Taqw?

Our researchers found the Taqw ransomware-type program during a routine inspection of new submissions to VirusTotal. This piece of malicious software is part of the Djvu ransomware family. Programs within the ransomware classification are designed to encrypt data and demand payment for its decryption.

On our testing system, Taqw encrypted files and appended their filenames with a ".taqw" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.taqw", "2.png" as "2.png.taqw", and so on for all of the locked files. Afterwards, Taqw created a ransom note titled "_readme.txt".

It is pertinent to mention that Djvu ransomware commonly arrives onto systems together with Vidar, RedLine, or other information-stealing malware.

What kind of malware is Agniane?

Agniane is a stealer – a type of malware designed to extract and exfiltrate sensitive information from infected machines. This stealer is heavily focused on stealing cryptocurrency-related data.

What kind of malware is NightClub?

NightClub is the name of a malware that has spyware and data-stealing capabilities. This program has at least four versions, with the earliest variant dating back to 2014.

NightClub malware is used by a threat actor dubbed MoustachedBouncer. This group has been around for nearly a decade and almost exclusively targets foreign embassies in Belarus. Known attacks include the embassies of four countries; two located in Europe and one each in Africa and South Asia. Aside from NightClub, this threat actor uses another toolset referred to as Disco.

What kind of application is MotionOptimizer?

We discovered the MotionOptimizer application during a routine investigation of new submissions to the VirusTotal site. Our analysis revealed that this app is advertising-supported software (adware) and that it belongs to the AdLoad malware family.

What kind of software is XI New Tab?

XI New Tab is a rogue extension promising to display browser wallpapers. Our research team discovered it while investigating untrustworthy websites.

After analyzing XI New Tab, we learned that it makes modifications to browser settings in order to promote (through redirects) the xitabs.com fake search engine. Due to this behavior, this extension is classed as browser-hijacking software.

What kind of malware is Knight?

Knight ransomware is the rebrand of Cyclops. Malware within this classification is designed to encrypt files and demand ransoms for their decryption.

When we executed a sample of Knight on our test system, it began encrypting files and appended their filenames with a ".knight_l" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.knight_l", "2.png" as "2.png.knight_l", etc. Afterward, a ransom note – "How To Restore Your Files.txt" – was dropped into every encrypted folder on the system.

It is pertinent to mention that the group behind Knight operates it as Ransomware-as-a-Service, and these threat actors also offer information-stealing malware. Hence, there is a possibility that these ransomware infections could have a double-extortion element to them. The variant we investigated mentioned the use of such tactics.

What kind of malware is Tasa?

While inspecting new submissions to the VirusTotal website, our researchers discovered the Tasa malicious program. It is part of the Djvu ransomware family. Programs within this classification operate by encrypting data and making ransom demands for its decryption.

After we launched a sample of Tasa ransomware on our test machine, it encrypted files and added the ".tasa" extension to their filenames. For example, a file initially named "1.jpg" appeared as "1.jpg.tasa", "2.png" as "2.png.tasa", etc. Once this process was finished, a ransom note titled "_readme.txt" was created.

It is worth mentioning that Djvu ransomware commonly infiltrates systems alongside data stealers such as RedLine, Vidar, and others.

What kind of malware is Taoy?

Our research team discovered another ransomware from the Djvu family called Taoy during a routine inspection of new submissions to the VirusTotal website. Ransomware is designed to encrypt data and demand payment for its decryption.

On our test machine, Taoy encrypted files and appended their titles with a ".taoy" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.taoy", "2.png" as "2.png.taoy", and so on for all of the affected files. Once the encryption process was completed, Taoy ransomware created a ransom-demanding message titled "_readme.txt".

It is pertinent to mention that Djvu ransomware is commonly distributed alongside information-stealing malware such as RedLine, Vidar, or others. Therefore, in addition to data loss, these infections may seriously threaten victims' privacy.