English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.5
 

Malicious macro-enabled Microsoft Office document
The last interesting item found on the same malicious cybercriminal server is a .docm file (a macro-enabled document according to Microsoft Office standards).

It is a malicious file that when opened shows its victims the following content:

0.4
 

To complement the already mentioned findings, the same cybercriminals server contains additional interesting things but before mentioning them, I want to give a little bit more information about the email database used to spam victims to infect them with the Betabot malware.

E-mail database
How big is the list of email addresses to spam victims? It has 8,689,196 different addresses. It is a very complete database. Even if only 10% of the machines of the people included in this list get infected, cybercriminals would gain more than 800,000 infected PCs!

The geographic distribution of the emails is already published here. If we just look at the number of the most interesting domains belonging to governments, educational institutions and such used to spam and to infect, they are still very high numbers:

Domain number of emails
org 13772
edu 2015
gov 1575
gob 312

0.2
 

Introduction

Today we got a spam message with a fake e-card in Portuguese leading to an interesting piece of malware:


Header translation: You got a Christmas e-card. Somebody very special has sent this Christmas e-card for you. In case you are not able to visualize it, click here. Much better than any present is a happy family.

0.4
 

The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And whats the most notorious banking malware? ZeuS, of course the trendsetter for the majority of todays banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family. And it was only a matter of time until a 64-bit version of ZeuS appeared but we didnt expect it to happen quite so soon.

Thats because cybercriminals dont actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.

Then, out of the blue, we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside. And its turned out that this 64-bit version has already been recorded being present in the wild at least since June, 2013 and compilation date specified in the sample is April 29, 2013! Moreover, this ZeuS version works via Tor. The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version. We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.

0.5
 

New trick from cybercriminals of Brazil - a suspicious message arrives to the user with a file attached named "Comprovante_Internet_Banking.rtf", translated from Portuguese it means "Receipt from Internet Banking":

Are you waiting a banking receipt via email?

0.2
 

Jumcar stands out from other malicious code developed in Latin America because of its particularly aggressive features. At the moment three generations of this malware family exist, which basically use symmetric algorithms in the first and second generation, and an asymmetric algorithm in the third. In this manner the configuration parameters are hidden, progressively increasing the complexity of the variants.

In the first generation, data is encrypted with AES (Advanced Encryption Standard). We estimate that the first variant was released in March 2012, and that other pieces of malware with similar characteristics were being developed until August of the same year. That is to say over a six month period.

In this first stage, 75% of the phishing campaigns targeted Peruvian consumers that use home-banking services. The 25% remaining targeted users in Chile.

The following diagram shows multiple instances used by the second generation of Jumcar:

Some .NET instances used by a variant of the first generation of Jumcar


0.4
 

Jumcar is the name we have given to a family of malicious code developed in Latin America particularly in Peru and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries
0.4
 

After the recent emergence of the criminal PiceBOT in Latin America, AlbaBotnet has joined the growing ranks of regional IT crime. It revolves around online pharming, with a view to delivering targeted phishing attacks which steal information from the online accounts of two major Chilean banks.

According to the data we have processed, this campaign is part of a trial stage of this botnet: up to now there has been no monetization of AlbaBotnet. We do know that the author of this threat began testing it in early 2012.

The botnet appears to have a similar structure to its Latin American counterparts. As well as the default automated malware builder, it includes a package which automatically sends emails. Thus, the botmaster can customize infection campaigns through the classic mechanisms of visual social engineering:

1.1
 

Last week, Adobe released a patch for a vulnerability in Flash Player that was being exploited in targeted attacks.

Before reading any further, we recommend you to take a moment make sure you apply this patch. Adobe offers this nifty tool to check that you have the latest version of Flash Player.

If you are running Google Chrome, make sure you have version -24.0.1312.57 m- or later.

Now back to CVE-2013-0633, the critical vulnerability that was discovered and reported to Adobe by Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov. The exploits for CVE-2013-0633 have been observed while monitoring the so-called -legal- surveillance malware created by the Italian company HackingTeam. In this blog, we will describe some of the attacks and the usage of this 0-day to deploy malware from -HackingTeam- marketed as Remote Control System.

0.4
 

Following in the wake of the vOlk (Mexico) and S.A.P.Z. (Peru) botnets comes PiceBOT, a newbie to the Latin American cybercrime scene. The cost on the black market is currently around $140.

Like other crimeware of its kind, its main purpose is the distribution of malware that steals financial information through local pharming attacks (arbitrary modification of a hosts file). Despite its recent onset (less than a month) it has already been adopted by Latin American cybercriminals to target clients of major banks. So far we have recorded phishing attacks generated and managed through this botnet in Chile, Peru, Panama, Costa Rica, Mexico, Colombia, Uruguay, Venezuela, Ecuador, Nicaragua and Argentina. The following image, obtained from an underground forum, shows some examples: