Spam and phishing mail

Spam and the death of Osama bin Laden

As we mentioned in a previous blog post, every time there is news of global interest, cybercriminals try to exploit that interest for their own malicious purposes. The death of Osama bin Laden was no exception – it was used in spam as well as black hat SEO.

We have detected two spam mailings capitalizing on the news of Bin Laden’s death, both of which were used to distribute malware.

One included a password-protected ZIP archive. The message subject was: “pictures of osama bin laden dead?”

What is strange about the mailing is that the text was taken from a standard spam message which is supposedly sent by a girl who wants to introduce herself to a man and is asking him to have a look at pictures of her that are attached.

The archive contained malware detected by Kaspersky Lab products as Trojan-Dropper.MSIL.Pakes.b.

The other malicious mailing exploiting Bin Laden’s death included links supposedly to a video showing the moment he was killed.

The message was in Spanish and was designed to look like a news mailing from CNN News. However, instead of leading to the site of the well-known news service, links in the message took users to a page on a Russian domain which dropped Backdoor.Win32.Ruskill.v on the user’s machine.

Because a number of world events have been attracting the general public’s attention of late, spammers have increasingly been using ‘fake news’ to distribute malicious code.

I would like to urge users once again to be careful. Remember that your curiosity and carelessness could result in serious problems for your computer and the loss of personal data or even money.

Spam and the death of Osama bin Laden

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox