WhatsApp Malware Spam uses Geolocation to Mass Customize Filename

Published: 2013-12-14
Last Updated: 2013-12-14 15:16:44 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message.

Today, I received one e-mail that I think was done pretty well and falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware.

In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even the link is formed to make it look like a voicemail link with the little "/play" ending

whatsapp spam email

(click on image to see larger version)



the part that I thought was the most interesting was the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded from.

Downloading the message from my home in Jacksonville, I get: VoiceMail_Jacksonville_(904)458abcd.exe . On the other hand, downloading it from a server whose IP's geolocation commonly shows up in Wayne PA , the file name changes to VoiceMail_Wayne_(610)458abcd.exe. I obfuscated the last four digits of the phone number, but the last four digits appear random.

As usualy, anti-malware coverage is bad according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message.

[1] https://www.virustotal.com/en/file/39457d452107fc019d0ece92d7a5c0c8d00ac5bf8dc3bd2411b0ad90cbcae194/analysis/1387029444/
[2] http://anubis.iseclab.org/?action=result&task_id=15eb462c46d9b95f4ed4d2750b1a52b0a

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: whatsapp
6 comment(s)


I've been getting a lot of these in my Gmail spam box. Mine have been like the ones you've seen as the Voicemail_city is always somewhere nearby.
I just looked at one message that was a wedding invitation with a pink and purple background. Click through and I get a customized "Invitation_Des_Moines.zip" . Haven't looked at the contents of the zip. Analysis: https://www.virustotal.com/en/url/b9e0ecf4bc1a4b44837e750834b540248993ef0e1fd192ddf81008aa2576f31a/analysis/1387590535/
Even few days back i got a mail on explaining how to download whatsapp on pc http://techisay.com/download-whatsapp-for-pc-windows-mac first i thought that it might be some spam stuff, but after a research came to know thats its an email marketing campaign..
I received a Whats App message and must have clicked on the "Play" button. Everyone in my Contacts list received an email with the same Whats App message. I have changed my email password. My question is: has my Mac been infected with spyware? We do online banking and this could be a big problem.
Thanks for any help you can provide.
As this seems to be targeting Windows machines (.exe), I think your Mac could not be infected by this malware.
I've just fallen victim to this spam, I'm usually alert to these but this variant came from my newspaper delivery service with a 'we missed you' message. Clicking the link tried to run a file with the name of 'adobe ... .exe' but my spyware blocked it. The spam/virus then replicated itself by spamming my contacts list but yahoo stopped these going out. My question is whether this spam/virus does any other damage on my Windows PC and what remedial action is recommended?

Diary Archives