Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


Fake WhatsApp voicemail notification email claims you have a new voicemail.

Links go to malicious sites or compromised sites hosting malware that can detect your browser type and OS to either play dead or send appropriate malware to you.

This appears to be a successor to the "DHL Pack Station" Asprox botnet series.

Subject: Voice Message Notification

Subject: 4 New Voicemail(s)


You have a new voicemail!
Time of Call: Sep-09 2013 02:15:17
Lenth of Call: 12 seconds


*If you cannot download, move message to the "Inbox" folder.

2013 WhatsApp Inc

Picutre of fake whatsapp new voicemail notification email to asprox botnet malware download.



You have a new Voice Message!
Message Details
Time of Call: Nov-10 2013 12:02: 02
Lenth of Call: 02 seconds


*If you cannot download, move message to the "Inbox" folder.

2013 WhatsApp Inc

Picture of fake WhatsApp asprox botnet download email with fancy play button.

(Fancy Play button version, 12 Nov 2013)

Header samples:

Not much useful spoofing but the nickname part of the From line.

Received: from []
X-Envelope-From: service
From: "WhatsApp Messaging Service" <service>
Subject: Voice Message Notification

Received: from []
X-Envelope-From: nobody
From: "WhatsApp Messaging Service" <service>
Subject: 4 New Voicemail(s)

Received: from []
X-Envelope-From: anonymous
From: "WhatsApp Messaging Service" <service>
Subject: 6 New Voicemail(s)

Received: from [] X-Envelope-From: anonymous From: "WhatsApp Messaging Service" <service>
Subject: 3 New Voicemail(s)

Actually.... there's something of a pattern to the Envelope-From's:

X-Envelope-From: www-data
X-Envelope-From: www-data
X-Envelope-From: nobody
X-Envelope-From: anonymous
X-Envelope-From: www-data
X-Envelope-From: nobody

Looks like local server accounts that should be unprivileged, shell-less accounts for services.

Around October-November 2013, some Asprox mailers started using whatsapp-looking subdomains for spoofing.

Received: from ( []
X-Barracuda-Envelope-From: no-reply
From: "WhatsApp Messaging Service" <no-reply>
Subject: Voice Message Notification

This infected RoadRunner (TimeWarner) user's machine spoofed in Envelope, HELO, and From headers. resolves to some place in Germany, but that whatsapp subdomain does not exist.

Link Examples:

Links go to compromised websites, most likely in the Asprox botnet system. The landing sites will check for user-agent and maybe IP addresses, and can blacklist if you keep trying. If the first tier choses to ignore you, you get a fake 404 Error Page Not Found.

First tier landing pages: /info.php? message=LAkjJhVxIbZruiP71L9HIbGl2xcI1k2H5vMAkEa/Z24= /info.php? message=YKRP6j7lHSfjbvedLHNCf9W1kMkiW4CsYeH8JnFHulY= /info.php? message=J6dm9yvQhcVxDFpXn40+aw0VYYn13DXPC4C4Ghmzfx8= /info.php? message=lGsX0Ys0kuQPu4YrKym147tOWxb5aWnIu9ZM7e/zLhM= /info.php? message=SYtGJ5oNy2rl4At/LYgg+2OXfWxPjqG2KZKETZurt68= /info.php? message=c9sqOcvppvyXKBcXz6KsX/V/pO6MPLB5FKtlW3iARJ0= /info.php? message=HzXVDL8/raWrm8RlgBp1x9a... /info.php? message=Nr1J0+CwJoi/7eMkMbvx7cx... /info.php? message=x36QDqmKlpQNKCF/3T+9h06yFSEHf... /app.php? message=CadswzZ11nasLkLwQNVHFYdIQA.... /app.php? message=pv3O3/1OFQ80uRHaSRq8d8.... /get.php? message=e6XDiwcB+ODE3KPX7... /get.php? message=sGAECkoNn1... /get.php? message=77XxELjGD...

Depending on your user-agent and other conditions, the next tier up from the landing page may elect to send a download or a fake 404 Error Page Not Found.

Windows user-agents may get an exe in a zip file.

VoiceMail.exe : virustotal analysis: here

Fortinet 		W32/Dofoil.QTZ!tr 	
Ikarus Trojan-Downloader.Win32.Kuluoz
TheHacker Posible_Worm32
TrendMicro PAK_Generic.001
McAfee Artemis!50C49B64760C

VoiceMail.exe : analysis: here

The executable is compressed using UPX
Installs itself for autorun at Windows startup

Android users may get an .apk file. analysis : here

F-Secure 		Trojan:Android/Fakeinst.EJ 
Kaspersky HEUR:Trojan-FakeAV.AndroidOS.Andef.b
Ikarus AndroidOS.FakeAV
Avast Android:FkDefend-C [Trj]
Fortinet Android/FkDefend.A
AntiVir Android/FakeAV.A.Gen
Emsisoft Android.Trojan.FakeAV.D (B)
GData Android.Trojan.FakeAV.D
Kingsoft Android.Troj.at_Fakedefender.b.(kcloud)
DrWeb Android.Fakealert.8.origin
Sophos Andr/FkDefend-A
ESET-NOD32 a variant of Android/FakeAV.C

joesandbox analysis : here

Monitors incoming Phone calls
Monitors incoming SMS
Monitors outgoing Phone calls
Queries phone contact information


13 Oct 2013 update to the Kuluoz exe file:

 VirusTotal report: here

Symantec 	Trojan.Fakeavlock 
Kaspersky Trojan-Downloader.Win32.Dofoil.raq
AntiVir TR/Kuluoz.A.46
ESET-NOD32 probably a variant of Win32/TrojanDownloader.Agent.BOHYHYR
TrendMicro PAK_Generic.001
Agnitum Packed/PECompact
Sophos Mal/Weelsof-E
McAfee Artemis!A565F054C5B0 report: here

Performs some HTTP requests

Like 70 of them. with long get request strings and specified user agents.
...and not by name but by ip.

HTTP/1.1\x0d\x0aUser-Agent: Mozilla/5.0
(Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Check out StopMalvertising's article on this flavor of Asprox communications : here

Rebus Snippet's excellent article on the Asprox Botnet as a whole is fascinating: here

If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}