Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: WhatsApp Malware Spam uses Geolocation to Mass Customize Filename - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WhatsApp Malware Spam uses Geolocation to Mass Customize Filename

Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message.

Today, I received one e-mail that I think was done pretty well and falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware.

In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even the link is formed to make it look like a voicemail link with the little "/play" ending

whatsapp spam email

(click on image to see larger version)

 

 

the part that I thought was the most interesting was the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded from.

Downloading the message from my home in Jacksonville, I get: VoiceMail_Jacksonville_(904)458abcd.exe . On the other hand, downloading it from a server whose IP's geolocation commonly shows up in Wayne PA , the file name changes to VoiceMail_Wayne_(610)458abcd.exe. I obfuscated the last four digits of the phone number, but the last four digits appear random.

As usualy, anti-malware coverage is bad according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message.

[1] https://www.virustotal.com/en/file/39457d452107fc019d0ece92d7a5c0c8d00ac5bf8dc3bd2411b0ad90cbcae194/analysis/1387029444/
[2] http://anubis.iseclab.org/?action=result&task_id=15eb462c46d9b95f4ed4d2750b1a52b0a

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Defending Web Applications Security Essentials - SANS Amsterdam September 2018

Johannes

3324 Posts
ISC Handler
I've been getting a lot of these in my Gmail spam box. Mine have been like the ones you've seen as the Voicemail_city is always somewhere nearby.
KPryor

8 Posts
I just looked at one message that was a wedding invitation with a pink and purple background. Click through and I get a customized "Invitation_Des_Moines.zip" . Haven't looked at the contents of the zip. Analysis: https://www.virustotal.com/en/url/b9e0ecf4bc1a4b44837e750834b540248993ef0e1fd192ddf81008aa2576f31a/analysis/1387590535/
Kevin

5 Posts
Even few days back i got a mail on explaining how to download whatsapp on pc http://techisay.com/download-whatsapp-for-pc-windows-mac first i thought that it might be some spam stuff, but after a research came to know thats its an email marketing campaign..
Tammy

1 Posts
I received a Whats App message and must have clicked on the "Play" button. Everyone in my Contacts list received an email with the same Whats App message. I have changed my email password. My question is: has my Mac been infected with spyware? We do online banking and this could be a big problem.
Thanks for any help you can provide.
Stuart
Tammy
1 Posts
As this seems to be targeting Windows machines (.exe), I think your Mac could not be infected by this malware.
DidierStevens

257 Posts
ISC Handler
I've just fallen victim to this spam, I'm usually alert to these but this variant came from my newspaper delivery service with a 'we missed you' message. Clicking the link tried to run a file with the name of 'adobe ... .exe' but my spyware blocked it. The spam/virus then replicated itself by spamming my contacts list but yahoo stopped these going out. My question is whether this spam/virus does any other damage on my Windows PC and what remedial action is recommended?
DidierStevens
1 Posts

Sign Up for Free or Log In to start participating in the conversation!