By Dancho Danchev
Last night, a friend of mine surprisingly messaged me at 6:33 AM on Skype, with a message pointing to what appeared to be a photo site with the message “hahahahaha foto” and a link to hxxp://random_subdomain.photalbum.org
What was particularly interesting is that he created a group, and was basically sending the same message to all of his contacts. Needless to say, the time has come for me to take a deeper look, and analyze what appeared to be a newly launched malware campaign using Skype as propagation vector.
Once the socially engineered clicked on the link, a Download window will automatically prompt them to download the following file – Photo9321092109313.JPG_www.facebook-com.exe. Notice how the cybercriminals behind the campaign try to trick end users into thinking that they’re about to open an image file, potentially coming from Facebook. In reality though, it’s an executable.
- Security tip: Windows users can see how they can enable full file extension here, and Mac OS X users can view how they can start displaying full file extensions here.
Malicious subdomains spamvertised over Skype messages:
photalbum.org – 184.108.40.206 (AS21740, DemandMedia) – Email: firstname.lastname@example.org
The following domains were also registered using the same email address:
The Photo9321092109313.JPG_www.facebook-com.exe sample has the following MD5, MD5: bc3214da5aac705c58a2173c652e031e, currently detected as Trojan.Win32.Jorik.PoisonIvy.yy, Trojan.Win32.Diple!IK by 16 out of 42 antivirus engines.
Upon execution the binary, creates a batch script, installs a program to run automatically at logon, and creates a thread in a remote process.
It then it phones back to the following domains/IPs:
Another sample with MD5: fe18d433eb8933fa289b5d9a00e2f5c7 is known to have used these C&C domains/URLs before. It also modifies the browser’s start page to: Start Page = “hxxp://enaricles.com”.
More malware MD5’s that modify the browser’s start page to hxxp://enaricles.com:
Hijacked trusted and legitimate Skype accounts are invaluable from a social engineering perspective. Trust is vital, even novice end users know it. If the cybercriminals were to automatically register thousands of bogus accounts, they would attempt to only target users who allow the receiving of messages from users who are NOT on their contact list. Although millions of Skype users continue receiving these messages, the majority of successful malware campaigns using Skype as propagation vector, tend to involve trusted and compromised Skype accounts in an attempt to increase the probability of a successful infection.
- Security tip: In order to prevent receiving messages from people not on your contact list, follow the instructions offered here.
What’s so special about the payload anyway? The payload is a copy of the infamous Poison Ivy DIY RAT (Remote Access Tool) also known as a trojan horse or backdoor. The attackers chose this easy to obtain RAT for serving malicious code, compared to a situation where they would need to code it from scratch.
Webroot SecureAnywhere proactively protects against this threat.