Malware descriptions

Latest info on the GpCode infections

We have been investigating the source of the recent outbreak of the cyber-blackmail virus GpCode, which is on the loose in the Russian Internet.

Our research shows that the virus was spread in the following manner:

  1. As we had thought, the infection stems from a mass mailing. The first mailing was conducted on May 26, 2006, when several thousand Russian users received an email with this text:
    Hello <recipient name>!

    We are writing to you regarding the resume you have posted on the job.ru website. I have a vacancy that is suitable for you. ADC Marketing LTD (UK) is opening an office in Moscow and I am searching for appropriate candidates. I will soon be asking you to come in for an interview at a mutually convenient time.

    If you are interested in my offer, please fill out the attached form related to compensation issues and email the results to me.

    Sincerely,
    Viktor Pavlov
    HR manager

    [the above is a translation from the Russian]

    The attached file is a MS word .doc file named anketa.doc [anketa is the Russian for application form – translator’s note]. Actually, this file contained Trojan-Dropper.MSWord.Tored.a.

  2. Once the recipient opened the .doc file, a malicious macro installed another Trojan into the local system – Trojan-Downloader.Win32.Small.crb.
  3. This is the Trojan that then loaded GpCode onto the local machine from a URL – [skip].msk.ru/services.txt.

The author of GpCode conducted similar mass mailings over several days. She also changed the variants of GpCode that were being downloaded from this URL.

Kaspersky Lab is currently working on closing this site down.

Latest info on the GpCode infections

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox