There appeared a timely follow-up to the Angelina Nude Movie spam run last month just as the coveted first pictures of the so-called Brangelina’s twins (offspring of actor couple Brad Pitt and Angelina Jolie) came out in celebrity magazines.

Trend Micro has just received reports of a new spam email message using the same social engineering technique to trick unknowing users into downloading malicious files onto their systems.

Detected by Trend Micro as TROJ_CHEPVIL.RAR, this compressed .RAR file is attached to email messages purportedly containing a nude video of Hollywood A-List actress Angelina Jolie (although her first name is misspelled). A password is even provided within the email message to extract the said attachment.

Below is a screenshot of the spammed email message:

Of course, there is no video in the attachment — only another Trojan detected as TROJ_CHEPVIL.C. Executing the Trojan triggers a series of downloads starting with TROJ_AGENT.AVSZ (which disables Windows Firewall) and TROJ_RENOS.ADX.

Upon execution, TROJ_RENOS.ADX downloads another malicious file, which is detected as TROJ_FAKEALER.HO.

Potential victims, especially fans of Angie, should be wary of this spam run, and are strongly advised not to open attachments from unknown senders.

Attacks leveraging on the popularity of celebrities are abundant; using them as the perfect bait in spam runs. Attacks similar to the one discussed on this post can be found here:

• Gimme More… Malware
• The Malware-Gossip Duo
• When Spam Promises the Stars
• More Pop Culture Spam
• ‘Angelina Jolie Nude Movie’ Spam

Meanwhile, Trend Micro customers are already protected against this Web threat attack by the Smart Protection Network. Updates on this developing issue will be posted as soon as they are available.

The Storm gang is casting its net once again, using “postcards” as bait in a recently discovered spam run, Trend Micro Senior Advanced Threats Researcher Paul Ferguson has reported.

Below is a screenshot of an email sample:

Clicking the link embedded in the message connects the user to any of the following domains:

• hxxp:// {BLOCKED}cardAdvertising.com/
• hxxp:// {BLOCKED}ettercard.com/
• hxxp:// {BLOCKED}ostcardArt.com/
• hxxp:// {BLOCKED}ostcardmail.com
• hxxp:// {BLOCKED}reetingcard.com/
• hxxp:// {BLOCKED}stcardOnline.com/
• hxxp:// {BLOCKED}ttercard.com/

The aforementioned domains display the following message:

When the abovementioned page loads, an auto-redirect occurs after three seconds, prompting the user to download a file named POSTCARD.EXE. Below is a screenshot of the displayed message:

The same file, POSTCARD.EXE, is also downloaded if the user clicks on the link save it on the Web page. The said file is detected as TROJ_NUWAR.DDJ.

TrendLabs Advanced Threat Researcher Joey Costoya says it is plausible that the Storm gang is using this constant change in techniques to evade spam and URL filtering blocking. Storm has been known to constantly change its employed social engineering technique, the most recent ones being news of terrorists on social networking networks, economic issues, and fake videos of popular celebrities.

All related domains are now blocked by the Smart Protection Network.

These days, it seems that it can happen to almost anyone — Web site compromises are really, really out of control, and virtually anyone can be victimized when proper security measures are not taken.

Very recently, another government site became a victim of an SQL injection or XSS attack (possibly enabled by the site’s use of an older Web server application version) — the Web site of the Supreme Court of Nepal.

Figure 1. Screenshot of the legitimate Supreme Court of Nepal Web site, www.supremecourt.gov.np

After being hacked, this Web site was turned into a host for pornographic video (particularly named porno tv).

Unfortunately, this site also included (before being cleaned up) 157 other adult links.

Other than links, the hacked site also displayed a login page that can be used to gather email addresses for possible spam distribution.

Figure 2. Screenshot of the Supreme Court of Nepal after being compromised by hackers

We also observed the injected folder with adult HTML files, as shown below:

Figure 3. Screenshot of indexed folders pertaining to the site

This folder contained the porn files, but did not contain any malware as when we discovered it (it has also been cleaned up now, but we’re keeping an eye on it).

Trend Micro Smart Protection Network protect users from inappropriate content by classifying this site as Pornography, enabling users or administrators to block access to this category of sites.

Note that we have already informed the owners of the said site of our findings and that the site, as of this writing, is already clean.