Cybercriminals exploit Boston Marathon bombing to steal user info

• Users who click on malware link also unknowingly download a worm program called WORM_KELIHOS.NB
• WORM_KELIHOS.NB can also be transmitted via USB and to other removable devices

LESS than 24 hours after the explosions at the Boston Marathon, security company Trend Micro Incorporated detected more than 9,000 spammed messages relating to the tragic incident that took three lives and left scores injured.

Some spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video” and “Video of Explosion at the Boston Marathon 2013″ in an attempt to trick curious and concerned users into downloading malware that would lead to the theft of their credentials.
 
These spammed messages only contained a single URL link, http:// {BLOCKED} / boston.html, Trend Micro said in a statement.
 
Once clicked, the webpage will display an embedded YouTube video of the Boston Marathon explosions. However, at this point users who clicked the link would have also unknowingly downloaded a worm program called WORM_KELIHOS.NB, the company said.

 
Behavior of WORM_KELIHOS.NB
 
Once this worm infects a user’s computer, it obtains user credentials from different File Transfer Protocols (FTPs) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, and FileZilla.
 
It also steals affected users’ Bitcoin wallet and other data (email addresses, etc.) on the affected computer’s local drive for further profit, Trend Micro said.
 
The company noticed that this worm was carefully designed so that the download link points to varying IP addresses every time it is accessed in order to hide its origin. Currently these IP addresses are traced back to several different countries including Argentina, Australia, Netherlands, Japan, Russia, Taiwan, and Ukraine.
 
Further analysis by Trend Micro also showed WORM_KELIHOS.NB could also be transmitted via USB and to other removable devices. Upon being transferred, the worm hides all the folders on the removable drive and replaces them with a .LNK file that appears as a folder icon.
 
Although this folder can be accessed, the user would also unknowingly be executing a malicious command before the requested action could be completed.

 
Spreading like wildfire
 
In addition to this spam sample and spreading the worm through removable devices, other social media platforms were used to exploit similar threats.
 
For example, malicious Tweets and links on free blogging platforms crafted just hours after the blast were launched for the purposes of stealing money, resources, and identities.

 
Exploiting people’s curiosity of global concerns has always been a staple of cybercrime attacks. This goes to show that a cybercriminal’s work never ends.
 
For further information on this threat, please check: http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/
 

For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.