My next class:

WhatsApp Malware Spam uses Geolocation to Mass Customize Filename

Published: 2013-12-14. Last Updated: 2013-12-14 15:16:44 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message.

Today, I received one e-mail that I think was done pretty well and falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware.

In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even the link is formed to make it look like a voicemail link with the little "/play" ending

whatsapp spam email

(click on image to see larger version)

 

 

the part that I thought was the most interesting was the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded from.

Downloading the message from my home in Jacksonville, I get: VoiceMail_Jacksonville_(904)458abcd.exe . On the other hand, downloading it from a server whose IP's geolocation commonly shows up in Wayne PA , the file name changes to VoiceMail_Wayne_(610)458abcd.exe. I obfuscated the last four digits of the phone number, but the last four digits appear random.

As usualy, anti-malware coverage is bad according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message.

[1] https://www.virustotal.com/en/file/39457d452107fc019d0ece92d7a5c0c8d00ac5bf8dc3bd2411b0ad90cbcae194/analysis/1387029444/
[2] http://anubis.iseclab.org/?action=result&task_id=15eb462c46d9b95f4ed4d2750b1a52b0a

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: whatsapp
6 comment(s)
My next class:

Comments

I've been getting a lot of these in my Gmail spam box. Mine have been like the ones you've seen as the Voicemail_city is always somewhere nearby.

Anonymous

Dec 14th 2013
1 decade ago

I just looked at one message that was a wedding invitation with a pink and purple background. Click through and I get a customized "Invitation_Des_Moines.zip" . Haven't looked at the contents of the zip. Analysis: https://www.virustotal.com/en/url/b9e0ecf4bc1a4b44837e750834b540248993ef0e1fd192ddf81008aa2576f31a/analysis/1387590535/

Anonymous

Dec 21st 2013
1 decade ago

Even few days back i got a mail on explaining how to download whatsapp on pc http://techisay.com/download-whatsapp-for-pc-windows-mac first i thought that it might be some spam stuff, but after a research came to know thats its an email marketing campaign..

Anonymous

Feb 20th 2014
1 decade ago

I received a Whats App message and must have clicked on the "Play" button. Everyone in my Contacts list received an email with the same Whats App message. I have changed my email password. My question is: has my Mac been infected with spyware? We do online banking and this could be a big problem.
Thanks for any help you can provide.
Stuart

Anonymous

May 15th 2015
9 years ago

As this seems to be targeting Windows machines (.exe), I think your Mac could not be infected by this malware.

Anonymous

May 15th 2015
9 years ago

I've just fallen victim to this spam, I'm usually alert to these but this variant came from my newspaper delivery service with a 'we missed you' message. Clicking the link tried to run a file with the name of 'adobe ... .exe' but my spyware blocked it. The spam/virus then replicated itself by spamming my contacts list but yahoo stopped these going out. My question is whether this spam/virus does any other damage on my Windows PC and what remedial action is recommended?

Anonymous

May 17th 2015
9 years ago

Login here to join the discussion.


Top of page
Diary Archives