Weird, Scary, and Annoying malware

-

For the majority of the time, malware is a serious problem, and its creation is sponsored by organised crime syndicates and nation states looking to commit cyberespionage and wage cyberwar. However, there are some malware that are just funny, and its developers took more care over how to annoy a victim than to just do something malicious. 
I came across one malware called the Memz Trojan and wondered if more equally ridiculous malicious software exists. 

The MEMZ Trojan - see above - is a custom-made Windows malware, originally created for a Viewer-Made Malware YouTube series as a parody of a script kiddie's idea of dangerous malware. It has gained fame and notoriety due to its highly complex and unique payloads, many of which are based around internet memes. MEMZ is mainly thought of as a joke. However, the very same script kiddies have the MEMZ Trojan and from this video, it appears to have been deployed on a laptop at an educational institution. Although it may be a joke, any device that is infected with the MEMZ Trojan has its master boot record (MBR) wiped, making it unable to locate the OS on the device, and leaves it with an infinite loop of the annoying Nyan cat over and over again.


Next up is a malicious version of the once popular BonziBuddy software called Evil BonziBuddy. The original software is an animated purple gorilla that resided on a user's desktop and communicated through the employment of Microsoft Agent technology. It was reportedly said to contain adware and researchers found it had keylogging properties. Script kiddies then created Evil BonziBuddy. Instead of “helping” a person explore the Internet through various functions along with their own sidekick, Evil BonziBuddy hijacks their system and begins to open large amounts of default programs that slows down the system, playing annoying music, displaying abusive messages, and being a nuisance overall.


Ransomware is a common threat nowadays that has evolved to become one of the most costly attacks a large organisation can receive. Ransomware typically encrypts all files on a victim’s device and makes it unusable. The only way to get access back to your machine is to pay a ransom sum in Bitcoin to the attackers that promise to release a decryption key to restore your files and machine. In steps Rensenware, a ransomware which encrypts your files but does not require a ransom payment to restore them. Instead, Rensenware requires the victim to earn 0.2 billion points in ‘Lunatic Mode’ on TouHou to win the decryption key. Luckily for victims, the decryption key can be retrieved by editing the total points with another program, but why not test your gaming skills?


The Lacon Worm is another joke malware which appeared in the early 2000s. Like most malware, it spread via email. When someone clicked on the malicious attachment it would go to their contacts too. The Lacon Worm became very well known for this ability to spread rapidly. However, it was not at all damaging and whoever created the Worm made it leave all files untouched and not to do anything particularly malicious, other than Worm through contact lists and inboxes around the world. On the 10th of every month, the Lacon Worm would log the user out and end all running processes. When the user logs back in and tries to go to Internet Explorer the homepage is replaced with an odd sketch from the comedy web-series ‘Homestar Runner’ about his website going down. 

Malware developers also seem to have a habit of creating malware that is named after an actual medical virus, such as Coronavirus, Zika, Ebola, or even AIDS. With each pandemic or new virus we can surely expect this to be the case:

(AIDS virus virus)

(Ebola virus virus)

(Zika virus virus)

(Corona virus virus)

Other honorable mentions go to:



The cleverly named You Are An Idiot malware is one of the most intentionally annoying. As tabs fill up the screen, calling you an idiot, the device slows down making it harder to close the rapidly opening tabs and will usually end up with you calling tech support.

Cisco Talos has also compiled an interesting list, to say the least, of Donald Trump, Vladimir Putin, and Hillary Clinton themed ransomware and Trojans. These sprung up during the 2016 election campaign and will more than likely make a return in 2020. 

Credit for some of this list goes to Danooct1, a YouTuber and Malware Historian, who shares video demonstrations of infamous and hilarious malware that makes you wonder how someone has the time to create it.

Find Danooct1's YouTube Channel here: 




Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more