These malicious emails have been around for a few weeks and yesterday I got one. They pretend to be WhatsApp warnings about alleged voice messagesIf the victim believes that it is something real, they may end up with their infected computer or mobile device.
They can come from different email addresses, spammers generally take advantage of vulnerable servers to send messages from there in bulk.
Subjects may also vary, in this case it would seem you would have 4 new voice messages 4 New Voicemail (s):
As you can see, the design of the message is quite simple and even looks reliable.
The green Play button links to an infected page, it is actually a legitimate site that was compromised to host malicious code under your domain. This way spammers can circumvent spam filters to some degree.
Once clicked, the interesting thing happens: depending on the victim's team different things can happen.
For example, if you access from Linux you can see a message like the following:
It appears to be a 404 error message, as if the malicious page had already been removed from the compromised server, in fact that's what I thought the first time I saw it. But in reality this page is not responding with a real 404, but with a 200 code, that is to say that it works without problems.
If the victim were to use Windows, instead of displaying this error page, the download of a compressed file would start with a Trojan that changes its name according to the IP of the computer. In this case, as I am in Uruguay, the file was downloaded as VoiceMail_Montevideo.zip (16/47 in VirusTotal):
Inside the compressed file is an .exe (executable file) that with its icon pretends to be an audio file (17/46 in VirusTotal). Windows users who have extensions display disabled (which is the default option) are more susceptible to deception since they cannot see the actual file extension with the naked eye.
So far there is nothing new, since the use of redirects according to the browser, location or system of the victims is a technique that cybercriminals have used for a long time. And the ways to avoid this type of deception are the same as always … common senseIn other words, be careful with the links we receive and the downloads we accept, keep everything updated and use an antivirus.
But what is new about this attack is what researcher Gary Warner comments on his blog… the campaign is also aimed at mobile devices.
If the victim opens the fake email in a Android device and clicks the Play link thinking that as you listen to the voice messages, the downloading an .apk file who obviously won't do good things on the team.
As I was reading in different places that have already talked about this malware, there are different variants in circulation. With the link that I received, I could not reproduce the infection in an Android emulator, but the .apk application that Gary comments simulated being an antivirus that detects all kinds of threats to finally request the credit card for the purchase of an alleged license. It is a fake antivirus for mobile phones, which are increasingly becoming fashionable to steal money.
Another variant, discussed on the Trend Micro blog, infects the device and then sends text messages to premium numbers, which would also allow cybercriminals to earn money.
In addition, other variants of the attack are also designed to try to infect iPhone (iOS) users. As in Android, clicking tries to download a malicious application.
Sound advice: be very careful with the links that are received unexpectedly, do not believe everything first and always avoid downloading files or applications from unknown places. The safest mobile downloads are those made from the official markets and still be careful with the applications that are installed.
Using a good antivirus if the device is powerful enough is not a bad idea, although without good practices on our part, antivirus cannot do all the work.