Virus and Spyware Removal Guides, uninstall instructions

What is Bkqfmsahpt ransomware?

Bkqfmsahpt is a piece of malicious software classified as ransomware. We discovered this program while inspecting new malware submissions to VirusTotal. It is noteworthy that Bkqfmsahpt is part of the Snatch ransomware family.

On our test machine, Bkqfmsahpt encrypted files and changed their filenames. Original titles were appended with a ".bkqfmsahpt" extension, e.g., a file originally named "1.jpg" appeared as "1.jpg.bkqfmsahpt", "2.png" as "2.png.bkqfmsahpt", and so on.

Once the encryption process was finished, the ransomware created a text file titled "HOW TO RESTORE YOUR FILES.TXT" that contains the ransom note. Based on the message within the file, it is evident that Bkqfmsahpt targets companies rather than home users.

What kind of email is "Suspension Notice"?

Our inspection of the "Suspension Notice" email revealed that it is spam operating as a phishing scam. This fake letter is presented as a notification from the recipient's email service provider stating that their account has been marked for suspension. Through a bogus verification process, this scam extracts victims' email log-in credentials (passwords) - thereby allowing the scammers to steal the exposed accounts.

What kind of application is Storage Controller?

Our team downloaded and tested the Storage Controller browser extension and found that it shows unwanted advertisements. Additionally, it can read and change data on all websites. Since Storage Controller shows ads, we classified it as adware. We discovered this app on a deceptive website.

What is IcSpy?

IcSpy is a malicious program designed to infect Android devices. It is an information-stealing malware that primarily targets banking and finance-related data.

The researched variant was disguised as the app of the State Bank of India (SBI); however, other disguises are possible. This version was distributed via smishing (SMS phishing) campaigns. The deceptive texts contained links leading to a phishing page inviting visitors to install the "SBI" application following an information-harvesting process.

Trend Micro researchers have inspected multiple Indian bank-centered smishing campaigns that, in addition to IcSpy, proliferate AxBanker, Elibomi, FakeReward, and IcRAT. However, at the present time, it cannot be stated that these malspam operations are interlinked.

What kind of email is "Scam Victim Compensation Funds"?

We have analyzed this email and found that it was sent by fraudsters who seek to extract money and (or) sensitive information. Scammers aim to convince recipients who have been scammed in the past that they can receive compensation of three million British pounds. It is a scam email that should be marked as spam and deleted.

What is IcRAT?

IcRAT is a Remote Access Trojan (RAT) that targets Android Operating Systems (OSes). RATs are designed to allow attackers to assume control over infected devices.

IcRAT has been notably proliferated through smishing (SMS phishing) campaigns, which go after clients of well-known Indian banks. The deceptive text messages lure users into following a link and downloading this malware by claiming that they will receive a reward from their bank.

According to the research undertaken by Trend Micro analysts, there has been an influx of similar campaigns targeting customers of Indian banks. In addition to IcRAT, the spam operations distributed AxBanker, Elibomi, FakeReward, and IcSpy. At the time of writing, there is no concrete evidence linking these campaigns.

What is Elibomi?

Elibomi is multi-functional malware targeting Android Operating Systems (OSes). This malicious program can perform various actions on infected devices, and it can extract a broad range of sensitive data. This malware has been around since at least 2020, and it has multiple iterations.

Recently, Elibomi has been observed being distributed in smishing (SMS phishing) and email spam campaigns that target Indian users. According to Trend Micro researchers, there are several large campaigns focusing on the users of popular Indian banks. In addition to Elibomi, these criminal operations involve AxBanker, FakeReward, IcRAT, and IcSpy malicious programs. Currently, there is not enough evidence to link these campaigns to a single source.

What is FakeReward?

FakeReward is the name of a malicious program targeting Android devices. It is designed to obtain personally identifiable and banking-related information. There are multiple variants of FakeReward; at least five versions have been spotted at the time of writing.

FakeReward has been actively proliferated via smishing (SMS phishing) campaigns. These SMSes sought clients of the three largest Indian banks.

Trend Micro researchers have discovered several spam campaigns targeting Indian users. These operations involve the following malware - AxBanker, Elibomi, IcRAT, and IcSpy. However, currently, these campaigns cannot be definitively connected to one another.

What is SearchBlox?

SearchBlox is a malicious Google Chrome browser extension. There are two variants of this extension, and both promise to allow users to search the Roblox video game platform servers for a specific player. Instead, this piece of malicious software targets data associated with Roblox and Rolimons - the former's trading platform.

SearchBlox has surfaced several times on the Chrome Web Store and has been removed at least once since July 2022. However, it is known that at least two hundred thousand users have already downloaded this malware. There is no concrete evidence on whether this extension has always been intended for this malicious use or had become trojanized at some point.

What kind of malware is Mafer?

Mafer is one of the VoidCrypt ransomware variants designed to encrypt files, append the victim's ID, filees@gmail.com email address, and the ".Mafer" extension to filenames, and drop a text file ("Read_Me!_.txt") containing a ransom note. Our team discovered Mafer while examining malware samples submitted to VirusTotal.

An example of how Mafer renames files: it changes "1.jpg" to "1.jpg.[ID=hhNAst-Mail=dr.filees@gmail.com].Mafer", "2.png" to "2.png[ID=hhNAst-Mail=dr.filees@gmail.com].Mafer", and so forth.