It has only been a day since the last strategy shift from the Nuwar gang and they have already gone away from the love letter theme. By monitoring computers infected with Nuwar, we can keep track of their social engineering schemes. They are now using a common theme used by the Zlob threat for a couple of months. They use fake codecs to entice users into downloading and executing their malware.
The screenshot below shows that web pages are used to display advertisement of a codec (piece of software used to read certain video formats). If a user clicks on the image or the text link, he is redirected to an executable named StormCodec.exe (detected as Nuwar.GG by ESET NOD32 Antivirus). It is funny to note that the Storm Worm gang uses a name given by the security industry in their malware. We also noticed that the latest scheme is not completely polished: the title of the fake codec page still reads “I love you”.
The quick pace of changes in Nuwar’s social engineering is a proof that its controllers are paying close attention to the performance of their social engineering campaigns. When they see that a theme is not efficient, they quickly change their strategy. We are facing a rapidly evolving adversary!
Pierre-Marc Bureau
Researcher