Today, we’ve been alerted about an ongoing spam campaign against Skype users. The majority of those affected are in India, Japan, and the Philippines. Below is what the message looks like:
click to enlarge
The spam message contains Japanese katakana characters and a bitly link with the following format:
bit.ly/{7 randomly generated characters}?profile_image={Skype contact name}
I could be wrong (and please feel free to correct me), but if my very rusty Japanese serves me right, the text is read as “tsuyo“, which could either mean “strong” or “too much”. Considering the image of the file downloaded from the link, however, I’m personally inclined to believe that the message sender meant the latter. More about that in a few.
Once Skype message recipients click the link, they are directed to a compromised domain to download a file pretending to be an image, as you can see below:
click to enlarge
Below is the icon of the screensaver (SCR) file, which we have enlarged:
Malwarebytes Anti-Malware detects the malicious SCR file as Trojan.Injector.
Once executed, it phones back to servers located in China, Vietnam, and the United States, most of which already have a history of harboring malicious files. It also reads data from several configuration files and information about the machine its installed in, such as the computer name and its GUID, a unique identifier. Another noteworthy behaviour of this particular file, as noted here, is that it connects to an IRC server, possibly to join a botnet.
We also looked into the compromised domain and found that it doesn’t use a Web application firewall, making it easier for malicious actors to infiltrate and use the site for their nefarious deeds. As of this writing, we cannot reach the owners of the site to inform them of the compromise.
For those who are new to Skype spam, note that this modus operandi has been reused countless times, and it often yields successful results for the criminals. The texts and links have changed as time went on, but what will remain the same is it will continue to take advantage of people’s curiosity and trust that is already established between and among individuals in a network, regardless of size. When in doubt, never click links and confirm with the person who pinged you first if they have indeed sent you such a message. As we always say, it’s better safe than sorry.
Jovi Umawing
Thanks for telling me. I have informed my friends about this.
if you receive any links from random people or have random people ask you to download files don’t do it it’s a trap
Thanks for the sample, just did some rush unpacking and analysis.
The first binary, after the .NET crypter layer is unpacked (dnspy’s debugger helps immensely!), has SHA256 hash 64008FA4BAEB39FC76B72950BCE08278900468DF4B9F5C9DE87FC6DEABE8ACEF. It’s a native binary, which according to the pdb filename inside the exe is called “Trik”. The binary, after the usual anti-analysis and installation stuff, starts a few threads.
One thread does naive usb-spreading, with an autorun.inf that tries to add a new “Open folder to view files” entry, and either a .bat or a .js to launch the actual malware. This stuff gets copied to all removable drives that have a drive letter of C: or above, every 5 seconds on a loop.
Second thread, loops through all fixed drives, and in paths with “public_html”, “htdocs”, “httpdocs”, “wwwroot”, “ftproot”, “share”, “income”, “upload” and “warez” in their name, that isn’t in the recycle bin, it overwrites all .exes with itself, and adds itself as “README.txt.scr” in zips and rars. This is done once only on every startup of the malware.
Third thread checks every 3 seconds for various analysis processes (wireshark, netstat(!), procmon, netmon, sandboxie etc), and if one is running, it kills and removes itself.
Fourth thread does the IRC stuff. The bot doesn’t handle much, it just can download and execute other malware (the URLs are crypted, it wasn’t that hard for me to analyse the algorithm and decrypt them) , and do some “DoS” that’s basically, connect 200 times, sleep for x ms, close socket.
The malwr link in the blog post shows currently it’s trying to download and execute “s.exe” from two different hosts. It’s the same file, the unpacked file has SHA256 721EF545946F2F7B6402EFA74C6CB868FA0DA63D8E0B037A8C97709FB08A60AD and it’s called “Skyplex” according to the .pdb path in the file. As the name suggests, this is the file that does the skype spreading. It has messages in quite a few languages: de-DE, es-ES, fr-FR, pt-PT, nl-NL, vi-VN, ro-RO, nb-NO, mn-MN, cs-CZ, da-DK, hu-HU, nb-NO (again, it checks twice for it), fi-FI, sv-SE, hr-HR, tr-TR, sk-SK, sl-SI, et-EE, pl-PL, hy-AM, bg-BG, lv-LV, lt-LT, ar-SA, zh-CN, ru-RU, uk-UA, mt-MT, ga-IE (yes really, irish gaelic!), th-TH, ja-JP, ko-KR, he-IL, af-ZA, fa-IR, hi-IN, vi-VN (again, used as a default). Note that English is actually missing from this list!
Does this malware require clicking on the link for infection?