Malware descriptions

Latest info on the GpCode infections

We have been investigating the source of the recent outbreak of the cyber-blackmail virus GpCode, which is on the loose in the Russian Internet.

Our research shows that the virus was spread in the following manner:

  1. As we had thought, the infection stems from a mass mailing. The first mailing was conducted on May 26, 2006, when several thousand Russian users received an email with this text:
    Hello <recipient name>!

    We are writing to you regarding the resume you have posted on the job.ru website. I have a vacancy that is suitable for you. ADC Marketing LTD (UK) is opening an office in Moscow and I am searching for appropriate candidates. I will soon be asking you to come in for an interview at a mutually convenient time.

    If you are interested in my offer, please fill out the attached form related to compensation issues and email the results to me.

    Sincerely,
    Viktor Pavlov
    HR manager

    [the above is a translation from the Russian]

    The attached file is a MS word .doc file named anketa.doc [anketa is the Russian for application form – translator’s note]. Actually, this file contained Trojan-Dropper.MSWord.Tored.a.

  2. Once the recipient opened the .doc file, a malicious macro installed another Trojan into the local system – Trojan-Downloader.Win32.Small.crb.
  3. This is the Trojan that then loaded GpCode onto the local machine from a URL – [skip].msk.ru/services.txt.

The author of GpCode conducted similar mass mailings over several days. She also changed the variants of GpCode that were being downloaded from this URL.

Kaspersky Lab is currently working on closing this site down.

Latest info on the GpCode infections

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox