What do the “FIFA World Cup” and Gaza attack have in common? They are both currently being used as social engineering ploys by a couple of malware campaigns seen on Twitter. TrendLabsSM senior threat researcher Ivan Macalintal spotted several malicious programs being distributed via the popular microblogging site. These malware campaigns take advantage of noteworthy events to lure users into clicking malicious links in Tweets.
The first malware run makes use of the upcoming “FIFA World Cup” (set to see record levels of global interactivity according to CNN) by sending the following Tweet:
Clicking the link leads users to download a copy of a backdoor detected as BKDR_BIFROSE.SMK, which connects to IP addresses that allow a remote user to perform malicious activities on affected systems. These activities include sending and receiving files, keylogging, and retrieving user names and passwords. It also has rootkit capabilities, which enable it to hide its processes and files from its victims.
The second campaign, on the other hand, sends out the following Tweet related to the Gaza attacks:
This time, the malware that is downloaded from the link is BKDR_BIFROSE.PAB, which opens a hidden Internet Explorer (IE) window and opens TCP port 788 to listen for commands from a remote malicious user who may initiate a denial-of-service (DoS) attack to target systems using specific flooding methods.
Trend Micro™ Smart Protection Network™ protects users from these threats by detecting and deleting BKDR_BIFROSE.SMK and BKDR_BIFROSE.PAB via the file reputation service. Users must also be wary of and double-check shortened links in microblogging site updates.
The “FIFA World Cup” is an incredibly popular global event that has already moved opportunistic cybercriminals into action as seen in the following previous posts:
- Latest Online Scam Targets FIFA Fans
- 2010 FIFA World Cup Spam Strikes Again
- Scammers Attempt to Score Through the FIFA World Cup
The past couple of months proved to be no safer for microblogging (i.e., Twitter) users either as seen in: