Upatre update: infection chain and affected countries

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families. Upatre‘s malicious actions vary, but…


Insights into Win32/Bradop

Have you heard of Win32/Bradop? We recently investigated this interesting data theft family in more detail and exposed some of its inner secrets. The following is a description of what we found out. Spoiler alert: spam emails, protectors, the download mechanism, database credentials, stolen data, and the source code all figure in prominently. Win32/Bradop arrives…


There’s a cream for that

The other day, while previewing messages in my inbox, I saw a conspicuous message with the following parameters, typos included: To: (email address)CC: (email address),…Subject: Your ex sent me this pciture of you.Body:Hey (email address),Your ex sent me this picture claiming it’s you. Is it really so? You probaly should see a doctor:) They can…


Stratfor customers targeted by cybercriminals

Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor – a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database. The spammed email contains an attached PDF file named “stratfor.pdf”. Upon opening…


Friendly spam carries Zbot

​This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier’s website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation…


MSRT November: Dofoil

As previously noted, one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil. TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially…


Getting tagged and your privacy

This morning my Facebook email address was invaded with spam (scam-spam as I call it) from people in my friends list with subject titles similar to the following: “<Some Friend1> invited you to the event You Gotta See This Exciting Feature!!<random number>” “<Some Friend 2> tagged you on Facebook” The messages appeared suspicious to me,…


Fake Canadian pharma site causing headaches

I awoke the other day to a friend calling me and exclaiming into the phone: “My Yahoo email account was hacked !!!” He had been angrily accused by others in his contact list of sending spam messages and sharing inappropriate website links. Most of the questions he fielded had the same query: “Why did you…


Slick links linked to slinky Winwebsec

I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further….


Scam emails – the cost of response

Recently, I received an email in my personal inbox with a subject line “MYSTERY SHOPPER ASSISTANT“ (the message did not filter to my junk folder and was not marked as spam). Image 1 – “Mystery shopper assistant” spam I’m familiar with the hobby of mystery shopping – a service provided under contract where the contractor…