Two-pronged attack: Argentine site hit by malware and data leak

I was browsing through compromised websites used for spreading malware and found one from Argentina which belongs to a veterinary supplier. The admin panel got p0wned and, worst of all, it had a tab with the personal details of people who had posted their CVs (curriculum vitae). So, what exactly has happened? Well, basically lots of confidential information has been leaked and we are talking about home addresses, telephone numbers, details of education centers attended, mobile phone numbers, email addresses, marital status, children and even personal references. This is very bad because the same information can easily be used for all kinds of fraudulent activities: on-line ID theft, targeted attacks and so on. Here are just a few examples of real CVs uploaded and saved on the compromised site:

Most of the victims are from Argentina or are living there.

So, who is behind the attack? It’s hard to say, but there are a couple of interesting things to consider. The first one is related to a fake ID used to submit a CV.

It looks like someone from a Russian-speaking country has at least tried to sniff the site. The second interesting thing is that the same website has been used for spreading Brazilian Trojan bankers.

So, it’s hard to say who’s definitely behind this particular attack. Is it Russians or Brazilians? Or maybe it’s a combined effort between Brazilian and Russian-speaking cybercriminals. If that is the case, it wouldn’t be the first time they have worked together; we have recently seen Brazilian cybercriminals using well-known Russian cybercrime web resources.

Two-pronged attack: Argentine site hit by malware and data leak

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox