Malware descriptions

New IM Worm Squirming in Latin America

Whenever we discuss the most active malware-producing countries, Russia, China and Brazil are always atop the list. But there’s a new country that’s starting to appear in the top five:Mexico

In our monthly Latin America malware analysis published on https://securelist.lat/ and Threatpost (both in Spanish),we already mentioned that Mexico is known for producing local botnets.

On Aug 21, we (Kaspersky Lab) detected a new instant messenger worm that spreads through almost all well-known IM programs, including Skype, GTalk, Yahoo Messenger and Live MSN Messenger. The name of the threat is “IM-Worm.Win32.Zeroll.a

It “speaks” 13 different languages (including Spanish and Portuguese) according to the local language of the infected
Windows computer. There are some characteristics that show the worm originated Mexico. It is written in VB and the C&C is located on an IRC channel (an old botnet technique recycled by the Mexican coders).

Our statistics based on the KSN data show the biggest infections were registered in Mexico and Brazil.

It seems like the criminals behind the worm are now at the first stage of the crime — infecting as many machines as they can to have “a good” offers after to another criminals: pay per install, spam and others.

It’s worth mentioning that only three anti-virus programs (including Kaspersky) detect the threat.

New IM Worm Squirming in Latin America

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox