Monday, February 24, 2014

WhatsApp Spam: a malware distribution scam

On February 19, 2014, Facebook Announced the purchase of WhatsApp for $4 billion in cash and 183,865,778 shares of Facebook stock ($12 Billion in current value) plus an additional $3 billion in shares to the founders that will vest over four years, for a total purchase price of $19 Billion. Within 24 hours, spammers were using WhatsApp lures to attract traffic to counterfeit pharmaceutical websites! Journalists in the United States were scurrying trying to figure out what WhatsApp even is, let alone why it should be worth $19 Billion.

Apparently WhatsApp has been growing in popularity in other parts of the world, as documented by a survey released in November by OnDevice Research which was headlined as Messenger Wars: How Facebook lost its lead which talked about the top Social Message Apps for mobile devices in five major markets: US, Brazil, South Africa, Indonesia, and China. While Facebook still lead in the US, and WeChat clearly dominates China, WhatsApp was the leading app in Brazil 72%, South Africa (68%), and Indonesia (43%).

But those of us who keep track of spam and email-based threats have been hearing about WhatsUp for several months. As the popularity of WhatsApp grows due to the new acquisition, we believe we will see it become an even more popular spam lure. At least three distinct spamming groups have already used WhatsApp as a lure for their scams.

According to Malcovery Security's Brendan Griffin, WhatsApp was being used as a malware lure since at least September 19, 2013. I asked Brendan to give me a list of days when a WhatsApp spam/malware campaign made Malcovery's "Today's Top Threats" list. This campaign has been solidly in the top ten on:

SEPTEMBER 19, 23, 24, 25, 26
OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25
JANUARY 9, 13, 15, 20, 28

As Steve Ragan mentioned in his ComputerWorld article on November 8, 2013, WhatsApp was one of our Top Five Imitated Brands for the delivery of malware via spam for the quarter. (See ComputerWorld - Senior executives blamed for a majority of undisclosed security incidents.) Curiously, when I asked Brendan about the email I saw THIS WEEK imitating WhatsApp he said that was an example of spammers using the WhatsApp notoriety to drive traffic to counterfeit pharmaceutical websites!

WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware

We've seen tremendous variety in both the malware being delivered and in the method of delivery over the course of so many spam runs. The first day we made note of the WhatsApp malware, September 19, 2013, we observed 52 different websites being advertised in the emails. Each of these websites had a file called "info.php" that was being called with a very long unique "message" parameter, such as:

(a couple digits have been tweaked for privacy)

Websites used for malware delivery,September 19, 2013

Visiting the link from any of of those websites resulted in code on the server resolving your IP address and creating a customer malware name based on your geographic location. For example, when we visited from Birmingham, Alabama IP addresses, we received a file called "VoiceMail_Birmingham_(205)" - 205 is the Area code for Birmingham, Alabama, so both the city name and the telephone number provided were intended to enhance the believability that this was a "real" VoiceMail message that we should open and listen to!

At the time we received this file, VirusTotal was showing a 7 of 48 detection rate. (When the file was last checked, December 4, 2013, the detection rate had improved to 36 of 48 AV products.)

This malware delivery mechanism, with the geographically labeled secondary malware, is a signature of the ASPROX => Kuluoz malware. Kuluoz, which is also known as DoFoil, is delivered as the second phase of a malware delivery scheme that begins by having computers that are part of the ASProx botnet sending spam. This is the same campaign that delivered Walmart/BestBuy/CostCo delivery messages around the Christmas holiday, and that delivered Courthouse, Eviction, and Energy bill spam. In the more recent VirusTotal report, AntiVir, DrWeb, and Microsoft label this sample as Kuluoz, while Agnitum, CAT-QuickHeal, Kaspersky, NANO-Antivirus, VBA32, and VIPRE call it DoFoil. Zortob is another popular label seen for this malware, and Symantec calls it "FakeAVLock" while Ikarus and Sophos calls it Weelsof. Weelsof is a Ransomware family and this label, as well as the FakeAV label, are likely due to tertiary malware. When secondary malware "drops" (a term that just means that ADDITIONAL malware is downloaded from the Internet after the initial infection) it is common for AntiVirus vendors to apply the label for the "ultimate intention" to all of the malware samples seen in that particular infection chain.

An excellent student paper by Shaked Bar from August 15, 2013, describes Kuluoz's role in dropping additional malware. This diagram is from his paper, Kuluoz: Malware and botnet analysis which was submitted as Mr. Bar's Dissertation for his Masters of Science in Computer Science.

At the time of Shaked Bar's paper, the prominent delivery mechanisms were spam messages imitating UPS and DHL. He also notes an earlier spam campaign from April 2013 imitating American Airlines. Bar's paper is well worth reading as he explains how C&C traffic is XOR'ed with the byte 0x2B to test the ability of the bot to send spam as well as other potential uses. Mr. Bar documents more fully the possible tertiary malware including Zeus (Zbot), ZeroAccess, and FakeAV. The malware uses the commercial geolocation service from MaxMind to identify its location, and the location may be instrumental in determining what additional malware should be installed.

Malcovery Security analysts also called attention in our September 19, 2013 report that the WhatsApp spam, when visited from an Android device, detected the OS and dropped a file called "WhatsApp.apk". .apk files are Android's "application package file" which is used to distribute and install Android apps. Examination of the .APK file confirmed thta this was Fake antivirus for your Android phone, containing descriptions of each supposedly detected malware in both English and Russian, as exhibited by this snip from the .APK file:

The URLs used to drop the infection shifted constantly. For example, these are the URLs from September 24th, each using "app.php" instead of "info.php":

And these were the sites for September 25th:

WhatsApp Spam Used by Cutwail Botnet to deliver Upatre => Zeus Malware

More recently, the WhatsApp malware has been used by an entirely different spam sending malware team. This group, which favors the Cutwail spam botnet, uses spam messages to deliver a malware family known as UPATRE. UPATRE is a tiny malware file that is repacked constantly to ensure deliverability and that has little malicious behavior itself. The only function of UPATRE is to drop additional malware. In this case, the malware is attached as a .zip file that, when executed by the recipient in order to "play their missed message" will cause Zeus to be downloaded as the secondary malware.

Here is what the Cutwail-delivered version of the WhatsApp spam looked like on January 28, 2014:

This version of Upatre connects to the Internet to download an encoded version of GameOver Zeus to allow safe passage through any blocking and detecting methods. This model of downloading an undetectable version that is then decoded into a fully functional Zeus malware by the Upatre module was documented in this blog in our story GameOver Zeus now uses Encryption to bypass Perimeter Security. In the case of the January 28th WhatsApp malware, the Zeus .enc file came from either:

zubayen . com / up / wav.enc
or from inspireplus . org . uk / images / banners / wav.enc
(spaces added for your safety)

WhatsApp Spam Delivering Canadian Health & Care Mall links?

As WhatsApp reaches the pinnacle of awareness among American spam recipients, it is only natural that the Pharmaceutical spammers would get in on the game. On February 20, 2014, the spammers sent out "Missed Voice Message" spam with a huge number of random URLs belonging to compromised webservers. Each of the compromised webservers, usually the spammer has harvested Userids and passwords for their FTP credentials in previous malware runs, has a newly created .php or .pl file that contains an encoded redirector to a pharmaceutical website.

On February 20th, the advertised spam all redirected to one of more than fifty compromised webservers, each of which then redirected to a Canada Health & Care Mall websites. The advertised URLs have a simple Javascript obfuscation to try to hide the true destination, such as this page:


When interpreted as Javascript, the "setTimeout" portion says "make the "" equal to "gjhqv1". The top portion says "set gjhqv1" equal to, and do it in "0" milliseconds.

Reviewing 50 URLs of this type, with names such as "reactivates.php" or "" or "gaelicizes.php", there were only the four redirections:

each of which looked like this:

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.