Research

Yes to tweeting, no to phishing

“Weibo”, a micro blog in Chinese, is really hot and has become fashionable in China lately. The number of users of the largest Weibo site Sina Weibo (www.weibo.com) has already reached 140 million. As usual, where there is popularity, there will be security concerns.

Today I found someone referring to my latest tweet, saying that I had won a big prize and needed to click the link to see the details. The guy’s name only consisted of some random letters, which made me cautious. Apparently this is a phishing URL.

I checked this randomly named user and found that he was newly registered but had already sent phishing URLs to lots of users.

Strange user with the strange name

Unfortunately, if you click the URL, you will be redirected to a site called weibo***.info and a page will be displayed saying that you have won a Toyota Camry in a lucky draw held by Sina. But apparently, the hackers didn’t spend much time on the page design.

Poorly designed phishing page

You can tell that it is a phishing page which is good, but it’s too late. At the bottom of the code on the phishing page you can find a special line of code.

Code redirecting you to another piece of malicious code

This line of code is already detected by Kaspersky as Trojan.JS.Iframe.fz. It can redirect you to another piece of malicious code that can exploit the vulnerabilities in your system to download and run malware on your system.

Another reason users click the URL without thinking is that in the micro blog the URLs are shortened and thus it is difficult to tell if it is malicious or suspicious. Therefore, while enjoying the micro blog, please be sure that you are under the protection of a reliable Internet Security product like Kaspersky and keep it updated.

Yes to tweeting, no to phishing

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox