It shouldn’t be a surprise to anyone that the Nuwar gang has released a new version of their social engineering scam for Valentine’s Day; they are just a bit early.

The gang has started again sending spam messages with subjects related to love.  The body of the e-mails contains a short message and a link to a host infected with Nuwar that serves new variants.  The new design of the website looks like the following screenshot.

 

The latest variants are detected as Nuwar.BH and the file name we have seen so far is withlove.exe.  This malware installs its configuration file and a system driver in the system32 folder.  Both file names begin with “burito” followed by random characters.

Pierre-Marc Bureau
Researcher