Cyber criminals are taking advantage of the widespread popularity of the mobile messaging app 'WhatsApp'. A malware expert at the Kaspersky Lab revealed a large-scale spamming campaign, advertising a fake PC version of the WhatsApp, to spread a banking trojan.
According to the report, unaware users have received an email written in Portuguese language, it also tries to deceive the recipient with a social engineering tactic in which cyber criminals composed the malicious email informing that victims already have 11 pending friend invitations.
If users click on the "Baixar Agora" (Download Now) link in the spam email, they will be redirected to a Hightail.com URL to download the Trojan. Hightail is a cloud storage service, the malicious component deployed on it then downloads the malware via a server in Brazil.
The file stored on Hightail server looks like a 64-bit installation file bundled with 2.5 megabyte MP3 file. According to Virus Total engine, only 3 out of 49 anti-malware softwares are able to detect it.
"This Downloader has some anti-debugging features like: UnhandledExceptionFilter() and RaiseException() and once running, it downloads a new Trojan that is banker itself. This time the malware comes from a server in Brazil and has a low VT detection 3 of 49. The recently downloaded banker has the icon of an mp3 file. Most users would click on it, especially after seeing it is about 2.5MB in its weight."
During execution of the malicious code, it communicates with the command & control servers to provide infection statistics and system console through the local port 1157. The Malware sends back the stolen information in the Oracle DB format. The malicious code is also able to download another payload on the infected system.
There are some interesting consideration to do:
- The technique used by the attacker could result very effective in areas where the application is mostly used i.e. Latin America and Europe. The WhatsApp has more than 430 million users and 30 million added in just the last month.
- Researchers identified a "classic style of a Brazilian-created malware" pattern, the malicious agent targeted Brazilian population much inclined to the use of WhatsApp. The language used and the fact that the Trojan is downloaded from a Brazilian server confirm the hypothesis.
This isn't the first spam email campaign that abused the WhatsApp brand, cyber criminals leveraged the service in the past November to push malware via email by tricking users into thinking they had a new voicemail message.
This week Symantec antivirus firm also identified a Windows Malware that can hack your Android Mobile. Please Pay attention to the url you click! Stay Secure.