Spam and phishing mail

Valentine’s Greetings…from your friends at KL

Quite a few people have already said that we can expect to see an increase in malicious code spreading as Valentine’s Day approaches. And no surprises – here it is. For the last couple of day, we’ve been receiving mass mailings of messages which supposedly will bring joy to the recipient, but which actually have a very different end result – a computer loaded with malware.

Here’s an example: Smiley Kiss http://217.X.X.X/. When the user opens the link, he or she will see a picture like the ones below:

Some of the cards feature pictures which are well known to Russian users – they show characters from popular Russian cartoons Other cards use Disney characters. But no matter what image is shown, the result is the same. Malicious code – in the shape of a file called valentine.exe, which we detect as Packed.Win32.Tibs.ic – ends up on the victim machine.

What’s interesting is that these images are dynamic, i.e. they can change each time the greetings card page is reloaded. This shows that whoever is behind is this is monitoring the infected machines (part of the botnet used to host the cards) and attempting to make sure that they’ve hooked the naïve user.

Because of the large number of requests being made to these kind of sites, they sometimes become unavailable. But persistent users will, in the end, get through – and get their card, together with a helping of malware. Our stats show that currently approximately 5% of mail traffic is made up of such messages. Although we detect the malicious code, our advice to users is as ever:

– Make sure your antivirus software is up to date. Because of the malware on such sites is continuously being modified, you’re strongly recommended to make sure you get the latest antivirus updates every hour.

– Don’t open email if you’re not expecting it – instead of receiving a message from the love of your life, you’re more likely, at this time of year, to fall victim to malware authors

Valentine’s Greetings…from your friends at KL

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox