Connect with us

Hi, what are you looking for?



Attackers Using Compromised Web Servers to Spread Kuluoz Trojan

Spam messages claiming to link to an invoice, shopping receipt, airline ticket, or some other type of confirmation document was the predominant mode of malware distribution in April, Solera Networks said.

Spam messages claiming to link to an invoice, shopping receipt, airline ticket, or some other type of confirmation document was the predominant mode of malware distribution in April, Solera Networks said.

The campaign began around April 4 and each spam message contained a link to a URL which pointed to a malicious Zip file, Andrew Brandt, director of threat research at Solera Networks, wrote on the ThreatVision Lab blog this week. If the user clicked on the link, the site downloaded a fairly small Zip file which contained the Kuluoz Trojan. The malware appears to hide its nefarious nature by using an innocuous icon resembling an word processing or writing application, such as Microsoft Word or UltraEdit, a notepad-like software.

The message content itself remained relatively static across the campaigns, but the links included in the mail “constantly shift to a long list of Websites” that did not belong to the malware distributor or to business the distributor was pretending to be, Brandt said. In fact, Solera Networks has seen at least 126 separate Web domains used in the campaign since the beginning of April. The URLs followed a consistent naming convention and were typically active for less than a day.

“With so many stolen Web sites available, the malware distributors don’t seem to be all that bothered,” Brandt said. All of the links identified belonged to small businesses, organizations, and individuals.

These sites may be compromised the traditional way, with attackers going after each one, or they may be utilizing mass-break-ins.

The Anti-Phishing Working Group (APWG) found in its latest Global Phishing Survey for the second half of 2012 that attackers were increasingly breaking into Web servers hosting a large number of domains. After uploading the malicious software, the attacker can update the configuration settings so that the malware is associated with every domain served by the Web server, according to the APWG. Approximately 47 percent of all phishing attacks worldwide was used to break-in to Web servers in the second half of 2012, APWG said in its report. In comparison, “we started 2012 with no attacks of this nature,” the APWG said.

“Instead of hacking sites one at a time, the phisher can infect dozens, hundreds, or even thousands of web sites at a time, depending on the server,” according to the report.

Advertisement. Scroll to continue reading.

These attacks corrupt local navigational infrastructures to misdirect consumers to counterfeit Websites or authentic Websites through phisher-controlled proxies, APWG wrote in its latest Phishing Activity Trends Report for fourth quarter of 2012.

After the user unzips the archive and runs the executable file, the malware opens the default text editor and displays a message indicating the package has not yet been delivered. In the background, the malware rapidly attempts to multiple command-and-control servers, making five to ten attempts per minute.

The tactics are the same, but the malware has changed, Brandt said. In March, spam messages using the same tricks were spreading Cridex (also known as Bublik), which would then download other password stealers on to the infected machine, according to Solera Networks.

Email remains an “effective attack vector for phishing, malware, and spam,” according to the APWG fourth quarter report. The quarter saw an all-time high in the number of brands and legitimated entities targeted by attackers.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...