Incidents

Japan Quake Malware Again

The earthquake and tsunami related crisis in Japan is still far from over – so is the appearance of new cyber threats trying to exploit that same crisis.

Tens of thousands of people in Japan have lost their homes, and many their loved ones too. On top of that, radiation leaks are still a major concern for the country and its observers , while new tremors remind everyone of nature’s power on an almost daily basis. (At time of writing, a Magnitude 6.2 quake shook the place!).

Today we investigated another malicious webpage. This one states in Portuguese: “Novo tsunami atinge a regio de Sendai e Japo declara estado de emegncia em usina nuclear”, which roughly translated means “New tsunami reaches the area of Sendai, Japan declares state of emergency at nuclear power plant”.

Clicking on the page content results in the download of an executable file which we detect as “Trojan-Downloader.Win32.AutoIt.po”.
When executed, three additional binaries are downloaded from a compromised site in Brazil.

After successful execution, the computer tries to connect to several locations; some are named “wab.php” and “contador.php”. Currently, we can confirm that this activity has also resulted in access to ‘www.visa.com.br’ and another location, producing ‘404’ errors because the files were hosted on – yet another – compromised site, which has apparently already been cleared of the intrusion.

Our Incident Research and Response Team have of course tried to contact the owners/ISPs of the compromised sites to draw their attention to this incident.
So far, we have received only one reply in response to our email to abuse@, but it looks to be of little help to the Internet community:

There seem to be other problems on their side and we don’t know if our alert actually reached anybody. However, users of Kaspersky Lab’s products are protected from this threat as our solutions currently detect all parts of this attack.

Japan Quake Malware Again

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox