Spam and phishing mail

Tomorrow’s spam – today

Geocities.com has been gone for a month now, and you’d have thought the spammers would be missing it. But one of the messages we got today shows that on the contrary, the spammers are looking forward to the future.

Here’s the message we got today – with tomorrow’s date on it. As most people configure their mail client to sort incoming messages by date, putting a future date on an email will ensure maximum visibility by putting it right at the top of the inbox.

The links in these messages lead to new Twitter accounts:

Which in turn link to a site looking very like a news portal. But the only working links here reference making money by working from home.

The account shown above also has tweets with links to typical Viagra and weight loss sites. It’s clear that spammers may be moving with the times by changing the tools they use, but they haven’t changed their message. And why should they, as long as there’s profit to be made?

Tomorrow’s spam – today

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox