A fake email from Facebook was spread in December. The email shows a message about an alleged comment from Sammy Villanueva.

When the link is opened, it redirects to where it was downloaded a malicious executable file called ComentarioSammyVillanueva.exe. 

Some days ago we received a mail, which notified about a malicious code propagated using a URL as the following:

http://XXXXXXX#/fotos_flagrante-Dilma.JPEG?0.25970

The file could be downloaded from the previous link, it is identified as fotos.com. So far, the antivirus engines that detect it as a threat, are the following:

Summary

This report presents the analysis of a variant of the Fareit family. This malware has characteristics of dropper because it contains a malicious batch script that is created and executed on the infected computer, and of spyware, as it collects information of the accounts stored on the FTP applications, browsers and email clients of the users without their consent.

Abstract

On this report we show the analysis of a variant of Upatre, which is a trojan downloader that has as its primary function to download other files from remote servers, such as a sample of the Dyre family. These variants are sent through spam emails with attachments.

Abstract

We have all received at least one fake message in our email accounts looking to obtain personal information (such as users, passwords, credit card data, etc.) or that redirects us to websites that download malicious programs. These emails, which appear to come from a reliable source, are known as phishing and make use of social engineering techniques to trick users. The following report shows a general analysis of several malware samples related to phishing websites that were reported to UNAM-CERT, this with the objective of showing some of the most common cases and reducing the number of affected users.

Abstract

In this report we describe the analysis of a sample obtained from a site where Mexican users could supposedly consult and download their CURP (Unique Population Registry Code). The trojan gathers information about the system, cipher it and then send it to remote servers. It also uses three different methods to maintain its persistence on the infected computer.

Abstract

In this blog entry is documented the analysis performed to a variant of the Dalixy malware family, also known as LdPinch, Dalia or Trodal. Dalixy is a malicious program with characteristics of both a worm (sending itself through email) and a bot (communication through an IRC chat).

During holidaysmalicious activity increases because the attackers are usually more successful in deceiving users and taking advantage. Valentine's Day is one of the best examples of this; which is why the malware analysis team of UNAM-CERT decided to publish a report about a sample that, although it’s not recent, illustrates very well the dangers of falling into the frauds of the creators of malicious code.

UNAM - CERT received in recent days, a report about a malicious file that redirects the information of the infected users to a proxy server in order to read specific data and steal credentials from legitimate sites without the user noticing; for this reason, a research about the case was started.