17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
22 Apr Lock, stock and two smoking Trojans-2 Sergey Golovanov
29 Mar Military Hardware and Menís Health Ben Godwood
19 Mar The end of MSN Messenger, the beginning of attacks Fabio Assolini
01 Feb Mobile attacks! Victor Chebyshev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Now cybercriminals from Brazil are also interested in Bitcoin currency. In order to join the horde of phishers on the lookout for the virtual currency they have applied their best malicious technique: malicious PAC on web attacks, and phishing domains.
The malicious usage of PAC (Proxy Auto-Config) among Brazilian black hats is not something new Ė weíve known about it since 2007. Generally, these kind of malicious scripts are used to redirect the victimís connection to a phishing page of banks, credit cards and so on. We described these attacks in detail here. In 2012 a Russian Trojan banker called Capper also started using the same technique. When itís used in drive-by-download attacks, it becomes very effective.
After registering the domain java7update.com, Brazilian criminals started attacking several websites, inserting a malicious iframe in some compromised pages:
In China telecom fraud has become an increasingly common crime. Last year there were more than 170,000 telecom fraud cases, causing the loss of over $12.5 billion. The fraudsters usually call their victims and trick them into transferring cash to a criminal gang via an ATM. But recently a new breed of telecom fraud, which combines phishing sites and backdoor Trojans, has emerged.
Last week the police from the Dongcheng sub-branch of Beijing’s Public Security Bureau asked us to help investigate a telecom fraud case. The victim was defrauded of $100,000. After our investigation, the fraudsters’ tactics were laid bare.
First you get a call from a ‘public prosecutor’ saying that you are implicated in a financial crime and you must help with the investigation. Of course, you deny everything, but the ‘public prosecutor’ advises you to check if you are listed in an official database as a suspected criminal. To do this, they tell you to visit the “Supreme Procuratorate’s” website, which is, of course, a phishing site:
It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:
In spite of its functionality no longer being unique, the last program on the list caught our attention.
Words and strings used by Trojan-Banker.Win32.BifitAgent
This particular piece of malware has a number of features that set it apart from other similar programs.
Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).
The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:
REGISTRANT CONTACT INFO liu runxin No.1,Nanjing Road Shanghai Shanghai 200001 CN Phone: +86.2164415698 Email Address: email@example.com
The documents are in three categories:
EAT FOR BETTER SEX.doc How to last longer in bed.doc 6 Awkward Sex Moments, Defused.doc 9 ways to have better,hotter,and more memorable sex.doc 10 Ways to Get More Sex.doc
Stealth Frigate.doc The BrahMos Missile.doc How DRDO failed India's military.doc
приоритеты сотрудничества.doc Список участников рабочей группы(0603-2013).doc Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.doc
Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.
MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.
In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker:
Users of inexpensive Android smartphones typically look for ways to accelerate their devices, for example, by freeing up memory. Demand for software that makes smartphones work a little faster creates supply, some of which happens to be malicious. In addition to legitimate applications, apps that only pretend to clean up the system have appeared on Google Play.
We have come across PC malware that infects mobile devices before. However, in this case it’s the other way round: an app that runs on a mobile device (a smartphone) is designed to infect PCs.
On January 22, 2013 Kaspersky Lab discovered the following application on Google Play:
The app is obviously quite popular and has a good rating:
This application has a twin brother that has an identical feature list but a different name:
Google Chrome users are being targeted these days by a wave of attacks that uses malicious extensions hosted in the official Chrome Web Store. The attack appears to be of Turkish origin and is using Facebook to spread. We saw users of different nationalities infected with the malicious extensions, which the cybercriminals are sending to the official store regularly, in a cat-and-mouse game.
As we already reported in March 2012, Brazilian cybercriminals were able at that time to host a malicious extension in the Chrome Web Store. Since then in June 2012 Google has changed the way users can add third party browser extensions i.e. not allowing the installation that are not hosted on the official Web Store. More recently Google removed the possibility of silent installations, which has been widely abused by third parties.
Maybe for these reasons bad guys started to concentrate their efforts to upload bad extensions to the official store. Now itís the turn of Turkish cybercriminals; they were able to host several extensions there in the last few days.
In China these days, e-commerce has become an important part of daily life, especially among young people. According to a report from CNNIC (China Internet Network Information Center), the number of Chinese e-commerce users reached 242 million at the end of the December 2012. This is nearly half of all Chinese internet users.
Because of this, many Chinese cyber-criminals changed their business from stealing QQ numbers or virtual assets in online games to stealing money during the online trading. In October, People-s Daily, the official newspaper of the Communist Party of China, reported that a group of cybercriminals were arrested in connection with a Trojan targeting the e-commerce users. The Trojan, detected by Kaspersky Lab as trojan-Banker.Win32.Bancyn.a, was named -Floating Cloud-, and was used to steal several millions of dollars from e-commerce users.
The name -Floating Cloud-, -浮云- in Chinese, comes from a very popular saying among Chinese internet users -神马都是浮云-. The direct translation is -God horses are always floating clouds-, which means everything flows away in haste like floating clouds. But here, the floating cloud is not a God horse but a Trojan horse. And the -Floating Cloud- was written in EAZY programming language in which programs can be written totally in Chinese.
To distribute the Trojan, cyber-criminals often masquerade as sellers. When the customer/target asks for information about the merchandise, they send a zip archive with the names like -detail information- which purports to contain a few pictures depicting the merchandise. But among these pictures, there is an executable file with the icon of image files. If the customer wants to take a look at this -picture- file and double clicks it, the Trojan will run.
Brazilian cybercrime is based primarily on the spread of Trojan bankers. For some time now the countryís bad guys have been investing their efforts in new monetization schemes, the latest includes the use of adware. And the perfect place for distributing this sort of malware? Yes, thatís right Ė social networks. This is how "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works.
To spread quickly among innocent users the adware uses a "change the color of your profile" option that recently surfaced. The infected profiles are used to spread automatic messages to your Facebook contacts:
Like many others, I took advantage of Amazon.com's sale and ordered a Kindle Fire HD last week. When I got around to exploring the Amazon App Store, it didn't take long before running into malware.
While searching for a particular benchmarking app I was presented with some additional apps. One of them immediately looked suspicious.