Malware, Phishing

Nivdort trojan found in new Facebook phishing attack


The cybercriminals who targeted WhatsApp users with malware may be behind a phishing scam that is now going after Facebook users, according to a new report.

The Comodo Threat Research team said the Facebook version behaves in a similar manner as the WhatsApp malware, part of the Nivdort malware family, by representing itself as an email from Facebook telling the recipient that they have an “audible” message. In addition, each subject line ends with odd lettering groups like Yqr or sele – likely being used to dodge any onboard security software, the blog said.

The emails contain an attached .zip file housing the actual malware, which is an .exe file that when clicked automatically replicates and places itself on the C drive and in the auto-run in the computers registry spreading the malware.

“It will add itself into a registry by adding a new key and will register itself as a system service as well. Other records will also be created to run at startup. Removing this kind of infection requires a thorough scanning of all of these potentially affected locations,” Fatih Orhan, Comodo's Threat Research Lab told in an email Thursday.

As with other Nivdort family members, Orhan said this is a trojan that collects sensitive information such as such as usernames or IDs, passwords, bank or credit card account information, tax returns and sends them to another party.

Because the average user tends to trust names brands like Facebook and WhatsApp they will remain popular with criminals.

“Already in 2016, we're seeing a major increase in this type of malware spreading all over via email or browser. We expect to see this continue for all types of companies and sites,” Orhan said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.