Tag: malware

Smoke Loader poses as an Office plugin

Date of publication: 27/08/2015, Łukasz Siewierski

loveletter1

Zaufana Trzecia Strona – a Polish security news portal – informed about a new attack on Polish user’s (link is in Polish) that used a Microsoft Office plugin install wizard as a decoy. In reality, the user not only installed the plugin, but also a malware called Smoke Loader. It allows the attacker to gather information about the infected machine and, among other things, redirect its DNS queries. We wrote an article about that malware, when we were informing about the infected sites in the gov.pl domain. Here we describe some features of Smoke Loader that seem new to us.
Read more

Slave, Banatrix and ransomware

Date of publication: 03/07/2015, Łukasz Siewierski

loveletter1In March 2015, S21sec published their analysis of the new e-banking trojan horse targetting Polish users. They named it “Slave”, because such a string was part of a path to one of the shared libraries. We think (in part thanks to the kernelmode.info thread) that Slave was made by the same group of authors that are responsible for previously described Banatrix and a ransomware/Android malware campaign. This means that those authors are most certainly fluent in Polish.

Read more

Malware attack on both Windows and Android

Date of publication: 22/05/2015, CERT Polska

loveletter1

On the 7th of May, 2015 we observed a new malicious e-mail campaign, which used the logo and the name of Polish Post Office (”Poczta Polska”). The e-mail supposedly informed about an undelivered package – however, they also included a link which, after several redirects, lead to the download of a malicious file. This file was either a Windows executable or Android APK file (depending on the presented User Agent string).

 

Read more

iBanking is back in Poland

Date of publication: 16/01/2015, CERT Polska

iBanking-qr-icon

iBanking malware was already described on our blog in connection with the attacks targeting Polish e-banking users at the end of 2013. This malware posed as a mobile antivirus application, while in reality it was use to steal one time passwords that were sent via text message. The attack scenario is very similar to the ones observed in the past, seen not only in Poland, but also in other countries. However, this time attackers also used QR codes, which are supposed to be more convenient for users then sending the app URL over the SMS.

Read more

Banatrix – an indepth look

Date of publication: 15/12/2014, CERT Polska

PL_malwareOf all of the Polish malware families that we have seen last year, Banatrix seems to be the most technologically advanced one. This malware was used to replace the bank account number in the browser memory, however its implementation allowed an attacker to execute any arbitrary code on the victim’s machine. This was used to extract passwords saved in the Mozilla Firefox browser. On this article we discuss the Banatrix C&C infrastructure and its use of TOR network both to hide the attacker’s identity and to make the botnet takedown a challenge.
Read more

Merry Christmas from the Bailliff Office

Date of publication: 03/12/2014, CERT Polska

In the last two weeks, the CERT team received multiple reports describing suspicious e-mail messages supposedly coming from the Warszawa Wola (a Warsaw district) Bailiff office. The message contents do not describe the alleged due in detail, thus encouraging the recipient of the message to click on the link described as “Payment Order Photocopy”.Read more

VBKlip 2.0: no clipboard, but Matrix-like effects

Date of publication: 05/09/2014, CERT Polska

PL_malwareIn the last few weeks we received information about a new kind of malware, similar to the VBKlip malware family. However, while reading these incident reports we got a bit of a science-fiction feeling. Users described that they went to the e-banking site and they tried to perform a wire transfer. When they pasted the account number, they saw that it was different than the one they copied. They thought they became infected with the VBKlip and they decided to write the bank account number manually, without the clipboard. When they entered the bank account number it changed “right before they eyes”. This was similar to the famous Matrix animation with green, changing digits. Thanks to one of the reporters we were able to analyze a sample of this malware and see that in fact it did change the bank account number, even if it was entered manually. We decided to call this malware “Banatrix”.Read more