Incidents

Do you like photos?

This week we’ve seen a couple of IM-Worms peaking above the radar to an extent you can probably call epidemic levels.

Two of these were MSN-Worms. Each worm sends a link:

Each of the links lead to a different Trojan-downloader. The downloaders download a variety of adware and adware-related Trojans.

Moreover, IM-Worm.Win32.Licat.c is also downloaded, which in turn launches a new mass mailing of the original message. Nothing unusual, right?

Wrong! Both worms spread using links to .PIF files. But some of you might remember that Microsoft blocked messages containing “.pif”?

Yes they have, but… the MS block is case sensitive!

So the criminals used capital letters, “.PIF” and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.

We have notified Microsoft of this and hope they take the necessary actions. In the meantime, users and admins should beware.

The funpic.de page has been taken down during the night and the uglyphotos link is dead and blocked by MSN. But there’s no doubt there will be new ones to replace it. Especially with the VML vulnerability still un-patched.

Do you like photos?

Your email address will not be published.

 

Reports

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

APT trends report Q2 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q2 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox