Latest news
Microsoft's researchers have recently been given a heads-up about a Romanian website serving malware, and a closer analysis of the file revealed a rather peculiar behavior.
The site in question is hosted at asistentasociala(dot)info, and it seems to be a rather popular site that offers documents that need to be filled out in order to receive "social welfare" and instructions on how to do it.
Several of the documents (Word and Excel documents, PDFs) made available for download had obviously been changed with EXE files with the same name:
When downloaded, the files' icons are those of the aforementioned benign types of documents, making the probability of the user noticing something even lesser than before.
Once one of these malicious executables is run, it drops the original, harmless document file in order to keep up the charade, but in the background it also drops a BAT file in the Temporary Files folder.
"The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration)," explain the researchers.
"It also proceeds to delete folders (along with the files inside) that contain the following strings: 'aplxpert', 'indaco' (as previously mentioned), 'mondo', 'agr', 'factur' (invoice), 'gami', 'multi', 'glob', 'alocati', 'arenda', 'social', 'assist', 'vmg', 'asf', 'lemne' (wood), 'incalz' (heating) on the C, D, E, F, G, H drives."
The researchers are still analyzing the malware, but so far its goal seems quite unique. Are the malware peddlers targeting Romanian government employees, or are they aiming to derail the efforts of those trying to receive welfare from the state - ironically, by supposedly offering help with filling out the same files the malware is programmed to delete? This certainly seems a very targeted action, and my bet would be on the second theory.
Hopefully Microsoft's researchers will have more insight to offer in a few days.
Spotlight
17% of the world's PCs are unprotected
Posted on 30 May 2012. | In a study that analyzed data from voluntary scans from an average of 27-28 million computers per month, McAfee researchers found 17% of the world is browsing the internet completely unprotected.
What's new in ISO 22301
Posted on 29 May 2012. | Currently there are many business continuity frameworks and standards around the world, but none of them have really taken the dominant position.
Trojan spyware promoted as Steam keygen
Posted on 29 May 2012. | To users looking for keygens for their Steam games, read on: we found something that will make you think twice and probably leave you steering clear of key generators forever.
New cyber weapon targets systems in the Middle East
Posted on 28 May 2012. | A new sophisticated piece of malware dubbed "Flame" has been discovered in systems belonging to users in many Middle Eastern countries and is though to have been developed by a nation state.
RuFraud scammers caught and fined
Posted on 28 May 2012. | PhonepayPlus managed to cut off a malware attack that took the form of premium SMS fraudulent apps masquerading as popular apps offered on Google Play and other online stores.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
 |
