Spam and phishing mail

Google+ fake invites = malware

These days, invites to the new social network created by Google are a popular subject among users that want to try it.

If a subject is popular it also can be used by cybercriminals as a trick to infect curious users – and Brazilian cybercriminals have already started sending fake invites with malicious links pointing to malware, specifically Trojan bankers.

Today we found one of them targeting Portuguese speakers:

The fake invite has a link pointing to google****.redirectme.net. When accessed it redirects to a very common Brazilian trojan banker, a .cmd file hosted at Dropbox and already detected by our Heuristic engine.

The most interesting thing in that message is another link pointing to a form hosted at Google Docs. The message shows the link as “send the invitation to your friends” but it’s a fake form created to collect names and e-mail addresses of new victims:

We already reported the malicious file to Dropbox team and also the fake webform to Google.

If you are interested in joining Google+, please be patient and not believe in supposed invites received in e-mails.

Google+ fake invites = malware

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox