New Voicemail Notification - WhatsApp - Malware

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake WhatsApp voicemail notification email claims you have a new voicemail.

Links go to malicious sites or compromised sites hosting malware that can detect your browser type and OS to either play dead or send appropriate malware to you.

This appears to be a successor to the "DHL Pack Station" Asprox botnet series.


Subject: Voice Message Notification

Subject: 4 New Voicemail(s)

WhatsApp

You have a new voicemail!
Details
Time of Call: Sep-09 2013 02:15:17
Lenth of Call: 12 seconds

Download

*If you cannot download, move message to the "Inbox" folder.

2013 WhatsApp Inc

Picutre of fake whatsapp new voicemail notification email to asprox botnet malware download.

 

WhatsApp

You have a new Voice Message!
Message Details
Time of Call: Nov-10 2013 12:02: 02
Lenth of Call: 02 seconds

Play

*If you cannot download, move message to the "Inbox" folder.

2013 WhatsApp Inc

Picture of fake WhatsApp asprox botnet download email with fancy play button.

(Fancy Play button version, 12 Nov 2013)


Header samples:

Not much useful spoofing but the nickname part of the From line.

Received: from h1888414.stratoserver.net [81.169.165.113]
X-Envelope-From: service @trike-info.de
From: "WhatsApp Messaging Service" <service @trike-info.de>
Subject: Voice Message Notification

Received: from vps.idasol.net [209.217.244.15]
X-Envelope-From: nobody @vps.idasol.net
From: "WhatsApp Messaging Service" <service @kenyapages.com>
Subject: 4 New Voicemail(s)

Received: from mail.bmvo-capnet.com [193.34.130.32]
X-Envelope-From: anonymous @mail.bmvo-capnet.com
From: "WhatsApp Messaging Service" <service @hearingvoices.com>
Subject: 6 New Voicemail(s)

Received: from host.host2.bastardoperator.com [74.204.167.98] X-Envelope-From: anonymous @host.host2.bastardoperator.com From: "WhatsApp Messaging Service" <service @mikaelforselius.no>
Subject: 3 New Voicemail(s)

Actually.... there's something of a pattern to the Envelope-From's:

X-Envelope-From: www-data @wshttp02.udag.de
X-Envelope-From: www-data @martin.ows.fr
X-Envelope-From: nobody @vps.idasol.net
X-Envelope-From: anonymous @mail.bmvo-capnet.com
X-Envelope-From: www-data @sd907.sivit.org
X-Envelope-From: nobody @vps02.crowndns.com

Looks like local server accounts that should be unprivileged, shell-less accounts for services.

Around October-November 2013, some Asprox mailers started using whatsapp-looking subdomains for spoofing.

Received: from whatsapp.voicehandsmachine.com (cpe-075-176-010-045.carolina.res.rr.com) [75.176.10.45]
X-Barracuda-Envelope-From: no-reply @whatsapp.voicehandsmachine.com
From: "WhatsApp Messaging Service" <no-reply @whatsapp.voicehandsmachine.com>
Subject: Voice Message Notification

This infected RoadRunner (TimeWarner) user's machine spoofed whatsapp.voicehandsmachine.com in Envelope, HELO, and From headers. voicehandsmachine.com resolves to some place in Germany, but that whatsapp subdomain does not exist.

Link Examples:

Links go to compromised websites, most likely in the Asprox botnet system. The landing sites will check for user-agent and maybe IP addresses, and can blacklist if you keep trying. If the first tier choses to ignore you, you get a fake 404 Error Page Not Found.

First tier landing pages:

barkat.com.ua /info.php? message=LAkjJhVxIbZruiP71L9HIbGl2xcI1k2H5vMAkEa/Z24=
stonehouse.by /info.php? message=YKRP6j7lHSfjbvedLHNCf9W1kMkiW4CsYeH8JnFHulY=
kluehe.de /info.php? message=J6dm9yvQhcVxDFpXn40+aw0VYYn13DXPC4C4Ghmzfx8=
parket-master.ru /info.php? message=lGsX0Ys0kuQPu4YrKym147tOWxb5aWnIu9ZM7e/zLhM=
nazike.com /info.php? message=SYtGJ5oNy2rl4At/LYgg+2OXfWxPjqG2KZKETZurt68=
goldnart.ru /info.php? message=c9sqOcvppvyXKBcXz6KsX/V/pO6MPLB5FKtlW3iARJ0=
coffsdentalcentre.com.au /info.php? message=HzXVDL8/raWrm8RlgBp1x9a...
computing4schools.co.uk /info.php? message=Nr1J0+CwJoi/7eMkMbvx7cx...
rus-futbolka.ru /info.php? message=x36QDqmKlpQNKCF/3T+9h06yFSEHf...
therabrands.com /app.php? message=CadswzZ11nasLkLwQNVHFYdIQA....
personalcarephysio.ca /app.php? message=pv3O3/1OFQ80uRHaSRq8d8....
madebest.net /get.php? message=e6XDiwcB+ODE3KPX7...
bavcompany.ru /get.php? message=sGAECkoNn1...
siouxie.net /get.php? message=77XxELjGD...

Depending on your user-agent and other conditions, the next tier up from the landing page may elect to send a download or a fake 404 Error Page Not Found.

Windows user-agents may get an exe in a zip file.

VoiceMail.exe : virustotal analysis: here

Fortinet 		W32/Dofoil.QTZ!tr 	
Ikarus Trojan-Downloader.Win32.Kuluoz
TheHacker Posible_Worm32
TrendMicro PAK_Generic.001
McAfee Artemis!50C49B64760C

VoiceMail.exe : malwr.com analysis: here

The executable is compressed using UPX
Installs itself for autorun at Windows startup
Contacts 67.229.68.242

Android users may get an .apk file.

VirusTotal.com analysis : here

F-Secure 		Trojan:Android/Fakeinst.EJ 
Kaspersky HEUR:Trojan-FakeAV.AndroidOS.Andef.b
Ikarus AndroidOS.FakeAV
Avast Android:FkDefend-C [Trj]
Fortinet Android/FkDefend.A
AntiVir Android/FakeAV.A.Gen
Emsisoft Android.Trojan.FakeAV.D (B)
GData Android.Trojan.FakeAV.D
Kingsoft Android.Troj.at_Fakedefender.b.(kcloud)
DrWeb Android.Fakealert.8.origin
Sophos Andr/FkDefend-A
ESET-NOD32 a variant of Android/FakeAV.C

joesandbox analysis : here

Monitors incoming Phone calls
Monitors incoming SMS
Monitors outgoing Phone calls
Queries phone contact information

 

13 Oct 2013 update to the Kuluoz exe file:

 VirusTotal report: here

Symantec 	Trojan.Fakeavlock 
Kaspersky Trojan-Downloader.Win32.Dofoil.raq
AntiVir TR/Kuluoz.A.46
ESET-NOD32 probably a variant of Win32/TrojanDownloader.Agent.BOHYHYR
TrendMicro PAK_Generic.001
Agnitum Packed/PECompact
Sophos Mal/Weelsof-E
McAfee Artemis!A565F054C5B0

Malwr.com report: here

Performs some HTTP requests

Like 70 of them. with long get request strings and specified user agents.
...and not by name but by ip.
109.74.2.146:8080/460326245047F...
184.106.134.253:8080/460326245047...
89.144.14.41/460326245047F...
121.83.238.155/460326245047F...
176.28.52.119:8080/460326245047F...
142.4.28.23:8080/460326245047F
81.2.199.97/460326245047F...

HTTP/1.1\x0d\x0aUser-Agent: Mozilla/5.0
(Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
\x0d\x0aHost: 81.2.199.97\x0d\x0a\x0d\x0a

Check out StopMalvertising's article on this flavor of Asprox communications : here

Rebus Snippet's excellent article on the Asprox Botnet as a whole is fascinating: here

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity