In less than 24 hours after the explosions at the Boston Marathon, IT security company Trend Micro Incorporated detected more than 9,000 spammed messages relating to the tragic incident that took 3 lives and left many injured.

Some spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video” and “Video of Explosion at the Boston Marathon 2013″ in an attempt to trick curious and concerned users into downloading malware that would lead to the theft of their credentials.

These spammed messages only contained a single URL link, http:// {BLOCKED} / boston.html. Once clicked, the webpage will display an embedded YouTube video of the Boston Marathon explosions. However, at this point users who clicked the link would have also unknowingly downloaded a worm program called WORM_KELIHOS.NB.

Once this worm infects a user’s computer, it obtains user credentials from different File Transfer Protocols (FTPs) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, and FileZilla. It also steals affected users’ Bitcoin wallet and other data (email addresses, etc.) on the affected computer’s local drive for further profit.

Trend Micro said it noticed that this worm was carefully designed so that the download link points to varying IP addresses every time it is accessed in order to hide its origin. Currently these IP addresses are traced back to several countries including Argentina, Australia, Netherlands, Japan, Russia, Taiwan, and Ukraine.

Further analysis by Trend Micro also showed the malware(WORM_KELIHOS.NB) could also be transmitted via USB and to other removable devices. Upon being transferred, the worm hides all the folders on the removable drive and replaces them with a .LNK file that appears as a folder icon. Although this folder can be accessed, the user would also unknowingly be executing a malicious command before the requested action could be completed.

In addition to this spam sample and spreading the worm through removable devices, other social media platforms were used to exploit similar threats. For example, malicious Tweets and links on free blogging platforms crafted just hours after the blast were launched for the purposes of stealing money, resources, and identities.

For further information regarding this threat can be found over here[link].

Exploiting people’s curiosity of global concerns has always been a staple of cybercrime attacks. This goes to show that a cybercriminal’s work never ends.

Trend Micro said users of its Smart Protection Network detects and block all related spammed messages and all associated URLs of this malware.

Leave a Reply