Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    12:21 pm (UTC-7)   |    by

    The Storm gang is casting its net once again, using “postcards” as bait in a recently discovered spam run, Trend Micro Senior Advanced Threats Researcher Paul Ferguson has reported.

    Below is a screenshot of an email sample:

    Clicking the link embedded in the message connects the user to any of the following domains:

    • hxxp:// {BLOCKED}
    • hxxp:// {BLOCKED}
    • hxxp:// {BLOCKED}
    • hxxp:// {BLOCKED}
    • hxxp:// {BLOCKED}
    • hxxp:// {BLOCKED}
    • hxxp:// {BLOCKED}

    The aforementioned domains display the following message:

    When the abovementioned page loads, an auto-redirect occurs after three seconds, prompting the user to download a file named POSTCARD.EXE. Below is a screenshot of the displayed message:

    The same file, POSTCARD.EXE, is also downloaded if the user clicks on the link save it on the Web page. The said file is detected as TROJ_NUWAR.DDJ.

    TrendLabs Advanced Threat Researcher Joey Costoya says it is plausible that the Storm gang is using this constant change in techniques to evade spam and URL filtering blocking. Storm has been known to constantly change its employed social engineering technique, the most recent ones being news of terrorists on social networking networks, economic issues, and fake videos of popular celebrities.

    All related domains are now blocked by the Smart Protection Network.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice