Spam and phishing mail

Valentine’s Greetings…from your friends at KL

Quite a few people have already said that we can expect to see an increase in malicious code spreading as Valentine’s Day approaches. And no surprises – here it is. For the last couple of day, we’ve been receiving mass mailings of messages which supposedly will bring joy to the recipient, but which actually have a very different end result – a computer loaded with malware.

Here’s an example: Smiley Kiss http://217.X.X.X/. When the user opens the link, he or she will see a picture like the ones below:

Some of the cards feature pictures which are well known to Russian users – they show characters from popular Russian cartoons Other cards use Disney characters. But no matter what image is shown, the result is the same. Malicious code – in the shape of a file called valentine.exe, which we detect as Packed.Win32.Tibs.ic – ends up on the victim machine.

What’s interesting is that these images are dynamic, i.e. they can change each time the greetings card page is reloaded. This shows that whoever is behind is this is monitoring the infected machines (part of the botnet used to host the cards) and attempting to make sure that they’ve hooked the naïve user.

Because of the large number of requests being made to these kind of sites, they sometimes become unavailable. But persistent users will, in the end, get through – and get their card, together with a helping of malware. Our stats show that currently approximately 5% of mail traffic is made up of such messages. Although we detect the malicious code, our advice to users is as ever:

– Make sure your antivirus software is up to date. Because of the malware on such sites is continuously being modified, you’re strongly recommended to make sure you get the latest antivirus updates every hour.

– Don’t open email if you’re not expecting it – instead of receiving a message from the love of your life, you’re more likely, at this time of year, to fall victim to malware authors

Valentine’s Greetings…from your friends at KL

Your email address will not be published.



The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox