Week in review 8 August 2014
This week we saw parcel phishing emails, a new disturbingly stealthy form of malware, and a Trojan that appears to have been undetected since 2012. Android users have been affected by a Remote Access Technology (RAT) exploit, and there is yet another Facebook phishing campaign underway. Getting a parcel is usually welcome news.
Not so welcome is an email supposedly from Australia Post claiming they are holding a parcel for you, and warning that parcels unclaimed after 30 days attract a daily fee. The email leads to a false site, with the aim of capturing user details. Whilst the email letterheads were realistic, there were a few indications the email was false. Australia Post sent out tweets warning customers of the scam.
A new malware threat called Poweliks came to light this week. Poweliks can run from the system registry and does not create files, making it hard to detect. Further, Poweliks can persist through reboots, making it unique (so far) in malware that resides in the system registry. Poweliks will also download other types of malware, according to what the attacker wishes to do. It does look to be part of a dangerous new breed of system registry malware. Another RAT that surfaced this week was the IcoScript Trojan. It looks like this Trojan has been around since 2012, but has only just been uncovered. There is a big reason for this: IcoScript uses specially created emails containing commands from a controlling account.
Typically the controlling email account uses Google or Yahoo. The traffic does not look unusual so corporates don’t block it. A type of social engineering is used in the fourth news item this week. Some person(s) have crafted emails that look like they are from Kaspersky Labs. The emails tell the user that their Android phone has a virus, and that they can resolve this issue by downloading an attachment called Kaspersky_Mobile_Security.apk. However, the file is actually SandroRAT malware. The malware, once installed, can intercept phone calls and SMS. It may also download other malware.
Because of its size, Facebook is the target of many phishing campaigns. Another one came to light this week. Once again, an email supposedly from Facebook contains a link to a false site, with the aim of stealing the user credentials. The reach of Facebook practically ensures that it will be a target for phishing campaigns.