Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Eduardo Godinho (Threats Analyst)

    We have recently detected a new spam attack that attempts to grab the bank data of Brazilian users.

    The mechanics of this attack are simple. Users receive this spam email:

    Click for larger view

    The mail claims that the user has received an e-card, and contains a link to “read” the said card. Click on the related link, a file is downloaded and executed:

    Click for larger view

    Apparently nothing happens, just an Internet Explorer is opened showing a related web card from this initial phishing. In the background, however, the HOSTS file is changed, and set to redirect certain Brazilian baking Web sites to a malicious web site. All information posted in any of the said pages will then be grabbed by the attacker.

    This spam email is now blocked by the Smart Protection Network. In addition, the malicious file involved is now detected as TSPY_BANCOS.JCM, and the malicious Web site is also blocked.


    While not as massive as earlier Web attacks that have used similar social engineering techniques, a new spamming operation has malware criminals using the logo of Trend Micro to lure unsuspecting Web users to “Trojanize” themselves.

    Here’s a screenshot of a bogus email message that potential victims in Brazil have been receiving in the past several days:

    Figure 1. Portuguese spam using the Trend Micro, Inc. logo

    These messages, written in Portugese, inform the recipient that they contain pictures supposedly requested by those who received the mails themselves. The bogus “picture” purportedly available via download from a link found in the email body.

    The message also carries the Trend Micro logo as a sort of “guarantee” to users that the file they are about to download is legitimate.

    The link, when accessed, does not lead to any image file but installs a Trojan Horse program instead.

    Users are perpetually reminded to be careful in handling links in the messages they receive. Just the mere mention of an online security company or the appearance of its logo does not guarantee that the message and its contents are legitimate and not harmful to systems. Logos after all are easy to copy or fake.

    Trend Micro Smart Protection Network already blocks the spammed email messages involved in this threat. It also protects users from TROJ_GENERIC by detecting the Trojan at the desktop level and by providing solutions for its removal.


    This week, we’ve received some reports related to a new malware attack regarding a tragedy that has early this month: a five-year-old child was thrown out of a window. The police are investigating the tragedy and the latest reports say that all evidences indicate the parents as the ones responsible.

    Hackers sent the spammed email message below, where they promise a video with new and exclusive information regarding the case, including findings about who the suspects are.

    Figure 1: Email message promising to reveal the responsible parties of the murder

    The link in the mail has an obscured address (hxxp://83.x.x.136/terranoticias/index.html) to a fake page from a big and legitimate ISP in Brazil (Terra Networks):

    Figure 2: Fake page from a Legitimate Brazilian ISP

    After the user clicks the link promising the video, the browser instead tries to download the file

    Figure 3: Download dialog box

    This file is detected by Trend Micro as TROJ_BANLOAD.EOZ. Users who have Trend Micro protection have been safe from this threat from the beginning, as Web Reputation Services (WRS) proactively recognizes the fake Web site.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice