Malware descriptions

Mobile phone trojans

You may remember that back in February this year we detected RedBrowser, the first Trojan for J2ME. RedBrowser is able to run on the vast majority of today’s handsets, i.e. those which support Java. The Trojan sends multiple SMSs to pay numbers without the user’s knowledge or consent. Naturally, this rapidly reduces the user’s account balance.

Today one of our users told us about a particular program which has been placed on a popular Russian mobile phone site. This program is allegedly designed to ‘steal money from mobile operators’. Our helpful user not only provided us with information, but also sent us a sample for analysis.

The program turned out to be a completely new Trojan for J2ME. When it’s launched, it sends 5 SMSs to 1717, a pay number. The message text is made up of code chosen at random from the Trojan’s body.

It turns out that http://games.gsmland.ru/, a site which sells games, ringtones and images, uses this number. Every game ordered via this site costs $3. This means that as a result of the Trojan sending SMSs, the user will have $15 deducted from his/ her account.

The Trojan arrives in a .jar file 32647 bytes in size, called ‘pomoshnik.jar’. (‘Pomoshnik’ is the Russian for ‘assistant’ or ‘helper’.) The .jar file also contains two images.

We’ve named this new malicious program Trojan-SMS.J2ME.Wesber.a, and added detection for it to our antivirus databases.

Mobile phone trojans

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox