Research

Hidden Details about the last Skype Spread Malware

Many things have been told already about the latest Skype malware spread via instant messages. However I just wanted to add something not mentioned yet. The first thing is about when the attack was launched first. According to Google Short URL service it first surfaced on Oct 6th:

To be exact it happened at 8:00 PM Ecuadorian time (7:00 PM ET). In just 2 hours the number of clicks grew up to 484,111 clicks. I’d say most of the people who clicked got infected since the initial Virus Total (https://www.virustotal.com/) detection for the malware was only from 2 of the 44 AV engines. The actual detection now is 27/43 engines and the actual number of clicks is more than 1 million!

Despite the fact that the original Hotfile malicious URL is already dead, people are still clicking on it. It means the malicious campaign is maintaining a low level of activity and where most of the victims are in Russia. It’s a controversial situation because one of the payloads is the stealing of credit card information from one of the Ecuadorian banks!

The malware “speaks” many languages, so when I obtained a sample it was spreading between Venezuelan users saying “¿es ésta tu foto de perfil nuevo?” (Translation: Is this your new profile picture?) It speaks at least; Spanish, Portuguese, English and Latvian languages and additionally steals user account information from: .iknowthatgirl, YouPorn, Brazzers, Webnames, Dotster, Enom, 1and1, Moniker, Namecheap, Godaddy, Alertpay, Netflix, Thepiratebay, Torrentleech, Vip-file, Sms4file, Letitbit, Whatcd, eBay, Twitter, Facebook, Yahoo, PayPal and many other services.

The Trojan has an autorun functionality to spread via USB devices. It’s able to spread via MSN Messenger too and all locally saved Skype passwords on the same infected machine by switching automatically between available accounts.

Kaspersky detects this threat as Trojan.Win32.Bublik.jdb

Hidden Details about the last Skype Spread Malware

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox