WhatsApp Malware Spam uses Geolocation to Mass Customize Filename

WhatsApp Malware Spam uses Geolocation to Mass Customize Filename
Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message. Today, I received one e-mail that I think was done pretty well and falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware. In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even the link is formed to make it look like a voicemail link with the little "/play" ending (click on image to see larger version) the part that I thought was the most interesting was the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded from. Downloading the message from my home in Jacksonville, I get: VoiceMail_Jacksonville_(904)458abcd.exe . On the other hand, downloading it from a server whose IP's geolocation commonly shows up in Wayne PA , the file name changes to VoiceMail_Wayne_(610)458abcd.exe. I obfuscated the last four digits of the phone number, but the last four digits appear random. As usualy, anti-malware coverage is bad according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message. [1] https://www.virustotal.com/en/file/39457d452107fc019d0ece92d7a5c0c8d00ac5bf8dc3bd2411b0ad90cbcae194/analysis/1387029444/ [2] http://anubis.iseclab.org/?action=result&task_id=15eb462c46d9b95f4ed4d2750b1a52b0a ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4478 Posts ISC Handler Dec 14th 2013
Thread locked Subscribe	Dec 14th 2013 8 years ago
I've been getting a lot of these in my Gmail spam box. Mine have been like the ones you've seen as the Voicemail_city is always somewhere nearby.	KPryor 10 Posts
Quote	Dec 14th 2013 8 years ago
I just looked at one message that was a wedding invitation with a pink and purple background. Click through and I get a customized "Invitation_Des_Moines.zip" . Haven't looked at the contents of the zip. Analysis: https://www.virustotal.com/en/url/b9e0ecf4bc1a4b44837e750834b540248993ef0e1fd192ddf81008aa2576f31a/analysis/1387590535/	Kevin 5 Posts
Quote	Dec 21st 2013 8 years ago
Even few days back i got a mail on explaining how to download whatsapp on pc http://techisay.com/download-whatsapp-for-pc-windows-mac first i thought that it might be some spam stuff, but after a research came to know thats its an email marketing campaign..	Tammy 1 Posts
Quote	Feb 20th 2014 8 years ago
I received a Whats App message and must have clicked on the "Play" button. Everyone in my Contacts list received an email with the same Whats App message. I have changed my email password. My question is: has my Mac been infected with spyware? We do online banking and this could be a big problem. Thanks for any help you can provide. Stuart	Tammy 1 Posts
Quote	May 15th 2015 7 years ago
As this seems to be targeting Windows machines (.exe), I think your Mac could not be infected by this malware.	DidierStevens 639 Posts ISC Handler
Quote	May 15th 2015 7 years ago
I've just fallen victim to this spam, I'm usually alert to these but this variant came from my newspaper delivery service with a 'we missed you' message. Clicking the link tried to run a file with the name of 'adobe ... .exe' but my spyware blocked it. The spam/virus then replicated itself by spamming my contacts list but yahoo stopped these going out. My question is whether this spam/virus does any other damage on my Windows PC and what remedial action is recommended?	DidierStevens 1 Posts
Quote	May 17th 2015 7 years ago