Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message. Today, I received one e-mail that I think was done pretty well and falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware. In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even the link is formed to make it look like a voicemail link with the little "/play" ending (click on image to see larger version)
the part that I thought was the most interesting was the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded from. Downloading the message from my home in Jacksonville, I get: VoiceMail_Jacksonville_(904)458abcd.exe . On the other hand, downloading it from a server whose IP's geolocation commonly shows up in Wayne PA , the file name changes to VoiceMail_Wayne_(610)458abcd.exe. I obfuscated the last four digits of the phone number, but the last four digits appear random. As usualy, anti-malware coverage is bad according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message.
[1] https://www.virustotal.com/en/file/39457d452107fc019d0ece92d7a5c0c8d00ac5bf8dc3bd2411b0ad90cbcae194/analysis/1387029444/
------ |
Johannes 4478 Posts ISC Handler Dec 14th 2013 |
Thread locked Subscribe |
Dec 14th 2013 8 years ago |
I've been getting a lot of these in my Gmail spam box. Mine have been like the ones you've seen as the Voicemail_city is always somewhere nearby.
|
KPryor 10 Posts |
Quote |
Dec 14th 2013 8 years ago |
I just looked at one message that was a wedding invitation with a pink and purple background. Click through and I get a customized "Invitation_Des_Moines.zip" . Haven't looked at the contents of the zip. Analysis: https://www.virustotal.com/en/url/b9e0ecf4bc1a4b44837e750834b540248993ef0e1fd192ddf81008aa2576f31a/analysis/1387590535/
|
Kevin 5 Posts |
Quote |
Dec 21st 2013 8 years ago |
Even few days back i got a mail on explaining how to download whatsapp on pc http://techisay.com/download-whatsapp-for-pc-windows-mac first i thought that it might be some spam stuff, but after a research came to know thats its an email marketing campaign..
|
Tammy 1 Posts |
Quote |
Feb 20th 2014 8 years ago |
I received a Whats App message and must have clicked on the "Play" button. Everyone in my Contacts list received an email with the same Whats App message. I have changed my email password. My question is: has my Mac been infected with spyware? We do online banking and this could be a big problem.
Thanks for any help you can provide. Stuart |
Tammy 1 Posts |
Quote |
May 15th 2015 7 years ago |
As this seems to be targeting Windows machines (.exe), I think your Mac could not be infected by this malware.
|
DidierStevens 639 Posts ISC Handler |
Quote |
May 15th 2015 7 years ago |
I've just fallen victim to this spam, I'm usually alert to these but this variant came from my newspaper delivery service with a 'we missed you' message. Clicking the link tried to run a file with the name of 'adobe ... .exe' but my spyware blocked it. The spam/virus then replicated itself by spamming my contacts list but yahoo stopped these going out. My question is whether this spam/virus does any other damage on my Windows PC and what remedial action is recommended?
|
DidierStevens 1 Posts |
Quote |
May 17th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!