Here Come (more of) The Ghouls

[Update: it's likely that the attacks described below will also take advantage of the more recent bombings in Dagestan, as described by the BBC here. Isn't it bad enough that horrors like this take place at all, let alone provide revenue for cybercriminals?]

Late last  night (30th March) I added a pointer to my earlier blog on criminal exploitation of the Moscow Metro bombings to a blog on the ESET Latin America's blog page. The post was written in Spanish by Jorge Mieres, and is at My first job today was going to be to put a translation up here, but Sebastián Bortnik has beaten me to it.

Infection campaign using the bomb in Moscow as an strategy

Latin America's ESET Research Laboratory has detected a major malware infection campaign, carried out through Twitter microblogging social network and through major websearch engines such as Google: these attacks are attempts to spread malicious code by tricking end users into running it.

In the first case, the strategy is to use Twitter profiles to publish malicious web addresses that claim to be about the bomb attacks on trains in Moscow. Each URL (the gangs are using shortened URLs such as links to a web site that allegedly displays a streaming video. However, within seconds of trying to access it, a popup tells the victims that they need a codec in order to view it, and offers them the option to download it . Of course, the codec is (as is usually the case), really a malicious program.

Twitter malware

All the malicious pages that carry this malware are hosted at the same IP address: a server in Israel, identified as serving spam and malware.

We have already detected more than 1,000 malicious links in Twitter profiles that are being used and we are committed to having these profiles removed.

This campaign is directly related to the other attack, which is conducted using BlackHat SEO (Search Engine Optimization) techniques (search engine index hijacking). Below you can see a search related to the incident in Moscow, which links to harmful sites:

malicious search results

This shows the range of attack vectors that can be used to propagate malware and unfortunately, the techniques mentioned are regularly seen.

Files downloaded in both cases are detected by advanced ESET NOD32 heuristics as variants of the threat family Win32/Kryptik.

Therefore, we warn users to avoid clicking on suspicious messages spread through social networks or in search engine results and, above all, keep your antivirus software updated.

Jorge Mieres
Security Analyst

As I commented in my previous blog: "It makes sense to be cautious about following links on the topic, especially the ones that appear around the top. The gangs have become expert at manipulating search engine ranking so that malicious URLs are among the first links you see in a search." Search terms on twitter and on Google relating to the Moscow bombings have, in recent days, been very highly ranked.

Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:;
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

  • Lee

    I’ve become less and less surprised at the depths the propagators of malware are happy to sink. I used to think "how can they take advantage of that situation…", but it's all too common and frequent these days to see malicious exploitation of a tragic event.

    It used to be a case of warning users (in my case, family and friends) not to open email attachments if you aren't expecting it/don't know who it's from and I think the majority of people (although certainly not all) are now wise to that method of spreading malware. However, when someone has logged into their social networking environment, there is probably a false sense of security and I hope it's only a matter of time before people learn not to blindly click any link that happens to come their way from "friends" in their list.

    The false sense of security mentality can probably be applied to searching with Google. Surely you can't pick up a virus from Google? They're Google!

    Something I noticed in the image above, which shows the dialog box prompting the user to install the codec, is the spelling mistake:  "Your need to install new version…" It may be the last chance you get to realise all is not right and you shouldn't continue.

    Oh, and kudos to ESET for proactively detecting these threats!

Follow us

Copyright © 2017 ESET, All Rights Reserved.