Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - JM Hipolito (Technical Communications)

    BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL.

    The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file.

    Click for larger view

    The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB.

    The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack.

    Last month, we posted a Trend Micro research, which revealed connections between BREDOLAB and FAKEAV and ZBOT. BREDOLAB has been used numerous times to deploy FAKEAV and ZBOT variants. Such behavior is similar to PUSHDO, which also led to the conclusion that PUSHDO and BREDOLAB were developed by the same cybercriminals. Our full report on BREDOLAB can be found here.

    Trend Micro product users are protected from this threat through the Smart Protection Network.


    The KOOBFACE gang certainly knows how to bring on the Christmas spirit.

    KOOBFACE has pushed a new campaign with the help of the new component that we saw deployed last month. The said component executes human-like behavior such as joining Facebook groups and posting messages on Facebook friends’ walls. This new campaign, on the other hand, boosts a timely theme.

    The bait is basically the same for this run: posts supposedly published by another user are suggested to be a link to a video. Clicking the link leads to the fake YouTube page typical of KOOBFACE attacks, only this time the page is presented as a Christmas-themed video:

    Click for larger view

    The file downloaded from the page is detected by the Trend Micro Smart Protection Network™ as WORM_KOOBFACE.X.

    This isn’t the first Christmas-themed attack we’ve seen this year, as we’ve reported spam runs using Christmas in its social engineering ploy as early as September. And judging from what has been observed in the past years, this attack will not be the last.

    Thus, as the same for any season, users are advised to be aware and demonstrate caution when online to help stay safe from online threats.


    Cyber Monday is basically the online retailers’ version of Black Friday and is considered the busiest day of the year for online shoppers and sellers alike. The National Retail Federation (NRF) estimates 96.6 million Americans to shop this Cyber Monday, an 11.5 million increase from 2008’s 85 million, while 87.1% of retailers are going to have a special promotion for the said event.

    With such great numbers of shoppers and promotions expected to flood the Web, it is certain that shoppers and sellers aren’t the only ones who will be busy. Cybercriminals are surely bound to leverage on this busy day, that is why users should keep their guards up and watch out for the following ploys that are likely to arise:

    1. Tainted shopping search results: Searching for the best deals might bring about some malware-related complications, as search results related to popular sales and well-sought-out products can be manipulated to lead to malicious websites.
    2. Phishing spree: Phishers will surely anticipate the throngs of online shoppers who will key in their credit card details as they make their purchases and deploy phishing attacks in hopes of stealing information.
    3. Fake receipts used as bait: As non-online shoppers are readily given a receipt on hand as the transaction takes place, online shoppers also are provided receipts through email or other means. Unfortunately, this becomes a convenient leeway for cybercriminals, using fake receipts as bait, in luring users to open files that contain malware.

    Despite the expected increase in online shoppers, the NRF expressed that the shoppers aren’t likely to go on careless shopping sprees due to the still-lingering effects of recession. The users, NRF states, are forced to stick to necessities in terms of their purchases.

    We strongly suggest that users extend their cautiousness in choosing their purchases to their online shopping habits as well. The Trend Micro Smart Protection Network can and will protect Trend Micro users from these threats by blocking malicious spam emails and URLs and detecting malicious files.

    Other users are advised to stay protected and keep in mind that everyone is out for a quick and seamless bargain even cybercriminals.


    Users who are currently planning to go or return to Brazil, especially with the holidays coming up, should watch out for a recent spam run. Spammed messages fashioned to look like an email from a Brazilian airline are offering users tickets to Brazil for just US$1.


    Here is a rough translation of the text in the spam:

    Promotion Voegol the $1.00 is back, buy tickets or return for all of Brazil to only $1.00.
    Visit our online service through the website: and mention code: VG1R
    After that, wait for contact from a clerk, and make the purchase.
    Further promotion visit:

    The spam run seems to take advantage of the promotions currently being offered by the said Brazilian airline. As enticing as the offer is, however, the links in the said email leads to nowhere near cheap tickets. The link leads to a URL that downloads TROJ_DLOADR.APX. TROJ_DLOADR.APX then connects to other URLs to download TSPY_BANKER.NGN. TSPY_BANKER variants have been known to take special interest on Brazil. They are known to steal banking information specifically related to Brazilian banks.

    Users are advised to ignore similar spam they receive and instead check out the airline’s website for promos and other offers. On the other hand, Trend Micro users are protected from this attack through the Smart Protection Network.


    Cybercriminals are using compromised Twitter accounts to spam out information-gathering websites to unknowing users.

    The attack starts with compromised Twitter accounts. The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts.


    The Direct Message—which is basically the Twitter counterpart of a private message—contains a link to what looks like an IQ test website:

    Click Click

    An IQ test may seem harmless but the last thing asked for in the test is no longer an answer but the respondent’s mobile number. Though the real motive for this scheme is unclear, we believe that this was set up to gather mobile numbers from unknowing users to become potential targets for SMS spam or other mobile-related attack.

    Users are strongly advised to refrain from clicking the links contained in similar Direct Messages that they may encounter even if the person who sent the DM is a known user. On the other hand, those users who think that their accounts may be one of those compromised should change their passwords as soon as possible.

    The Trend Micro Smart Protection Network™ protects users from this by blocking all related URLs.

    Update as of 08:49 P.M. “Users who do give out their mobile phone numbers may end up being billed at least US$10 a month for text messages,” says KOMO News. Though not every online IQ test will charge you, most are just there to scam unwitting users. Keep in mind that if a test asks for your mobile phone number, it is looking for a way to bill your mobile phone account. If the quiz looks like it came from someone in your Twitter account then a hacker must have hijacked other people’s accounts to make you think you are getting a message from someone you know.

    Update as of November 13, 10:52 A.M. This attack do not simply harvest the affected users’ numbers but signed up their mobile for an auto-renewing subscription as described in the terms and conditions.

    Posted in Spam | TrackBacks (2) »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice