In recent days, different users reported an email to UNAM’s Computer Emergency Response Team, which included a link to download an alleged tax receipt in PDF format that came from an enterprise. However, clicking on the link started to download a compressed file with extension “.rar”. A screen capture of the email received is shown on the image below; on the bottom of the image the download link of the file can be seen.

In recent days, a system admin reported us that his website had been blocked and that his browser detected his site as malicious despite being legitimate. For this reason, UNAM’s Computer Emergency Response Team proceeded to analyze it.

Many antivirus engines identified that the website hosted an unwanted program that could be a virus.

UNAM’s Computer Emergency Response Team received a report about an allegedly malicious file that was hosted on the known file hosting website “hotfile.com” with the name “filrulais.exe”. For this reason, we proceeded to analyze the sample.

A user notified UNAM-CERT about an email that contained an allegedly malicious attachment and an IP address on the body of the message that redirected to a malicious portal that pretended to be the popular e-card website gusanito.com. This kind of sites is known as phishing and its function is to take advantage of users, making them believe that they are navigating a legitimate website.

Recently, the UNAM-CERT received a report about a malicious file that was propagating through the network and that pretended to be an update of the Adobe Flash Player plugin.

Once the website was accessed, it displayed a window to accept the download of the file.

After downloading the file, it saved itself with the name dia11_puxa_cliente2.exe and displayed the following page, that pretended to be a legitimate Adobe Flash website.

The use of malicious software to bitcoin mining has been increasing. There are reports of cases where the software propagates itself through the Skype service; however it is not limited to this service, computers can get infected by different media, such as websites or by using infected USB devices

SSI/UNAM-CERT received a report about a website that attempted to fake the portal of the Afirme financial group.

On the content of the email there was a link to the alleged website, as shown below:

 After the link is clicked, the user is redirected to the fake site of the Bank. As it can be observed, the URL contains the word “afirme”, to avoid suspicions and make the user think that the site is legitimate.

UNAM-CERT received a report about an allegedly malicious file for Linux operating systems. According to the complainant, the system presented low performance and strange behavior; so we proceeded to analyze the sample.