Incidents

Vkontakte accounts compromised

Today data from more than 40,000 VKontakte accounts (the Russian equivalent of Facebook) was put up on a hacker site. We know that the site (83.133.120.252) is a phishing site, and our personal products block attempts to access the site.

Trojan.Win32.VkHost.an (which we added detection for on 28th July) spreads via the VKontakte app (hxxp://vkontakte.ru/app711384?&m=2, currently blocked by VKontakte admins). Once installed, this Trojan modifies the hosts file:

83.133.120.252 vkontakte.ru
83.133.120.252 odnoklassniki.ru

If your machine is infected and you try and open either of the sites, the browser gets redirected to a phishing page which requests login credentials. The login and password get sent to the database at 83.133.120.252. (The Odnoklassniki database was empty at the time of writing, so it’s still a bit too early to say if Odnoklassniki user data has been compromised.)Enter your details on the phishing page, and you get redirected to a new page which shows a warning in Russian. Here’s the translation:

WARNING!
Your account has been identified by the system as potentially dangerous.
Spam mailings are being conducted from your IP address.
The account is recognized as being fake, created by malicious users in order to conduct spam mailings, and will be deleted 24 hours after this notification has been read if the account details are not verified.

If the account is genuine, it needs to be verified.

Send an SMS reading orderit30913 (no spaces) to 6008. You will receive an activation code in the response SMS.

The SMS will be charged in accordance with your service provider’s plan.

It looks as though if you send an SMS you do get some sort of code in return, as the site has a page with this message:

Code accepted! Download and launch file – Download

The link leads to a file called access.exe, which restores the original hosts files. (127.0.0.1 localhost).

If you just enter a random code, you get this message:

You’ve entered an incorrect code. Go back and enter the code from the SMS!

If you’ve got a VKontakte or Odnoklassniki account, check your hosts file (%windir%system32driversetc) and if you find links to vkontakte.ru and odnoklassniki.ru, delete them. You should also change all your passwords to all social networking accounts; if you end up on a phishing page like the one above, don’t enter your details; and last but not least, don’t send an SMS. This is yet another attempt by the bad guys to make a bit of money on the side using short, premium pay numbers.

Finally, if you think your account data might have been compromised, you can check via our Russian-language blog on the subject.

Vkontakte accounts compromised

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox