Malware descriptions

Pinch pinched

We regularly see Trojans being sent via IM. There’s a whole range of approaches used, from standard messages saying ‘Hey, take a look at my photos’ or links which purportedly lead to useful utilities, to social engineering which plays on people’s fears:

[Translation: Look what’s been written about you here]

Of course, the pages linked to are stuffed with exploits which are used to turn the victim machine into a malware menagerie.

There’s nothing new in these mailings. But today we got another example of a mailing that’s been going on for the last three weeks or so – every day, millions of ICQ users are being sent the following message:

[Translation: A new unofficial add-on to the well-known QIP client has been

The add-on includes options such as:
*hide/ fake your number
*hide/ fake your primary email
*eavesdrop on other users (requires qip 8020 or higher)
*check user status
*view user’s contact list (requires paid plug-in enquiries to UIN# ****016)


*qip 8000 or higher can be downloaded from
*Internet access
*Windows 2000/2003/XP (Vista not supported)
Unpack the archive, launch the Install file remaining files should be located
in the folder together with install.
Download: _ (656 kb)

Although the link does change, sometimes the same link gets sent twice in one day – it depends how quickly antivirus companies react to the latest malware that’s placed on the link. If the user is incautious or uninformed enough to click on the link, his or her machine ends up infected with a variant of the ever popular Trojan-PSW.Win32.LdPinch.

We took a look at all the different variants that have been downloaded, and discovered that:

  1. An old version of Pinch is being used, and this version is freely available – for each wave of mailings, the malware simply gets packed with different packers.
  2. To start with, Pinch sent its log files off using public SMTP servers, but then moved to using a script gate on a free hosting site.
  3. The recipient’s email is the same in all cases.

Pinch is a true omnivore – it grabs just about everything it can from the victim machine: the Windows license number, system information, a list of programs installed, as well as ICQ, email and FTP passwords, and passwords saved to Windows Protected Storage.

On the most productive days, the person behind the mass mailings managed to collect up to a hundred logs. And his e-store has a whole bunch of ICQ numbers for sale, presumably stolen from victim machines. He’s clearly out to make money – given that malware writers have made the shift from simple disruption to clearly criminal activity, that’s no surprise. However, what he maybe doesn’t realize is that a careful analysis of Pinch leads to a wealth of information about the author – name, date of birth, town, mobile number and various other personal data.

Good news for those fighting cyber crime, but not so great for those involved in illegal activity.

Pinch pinched

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox