New Skype spam leads to Trojan download

Posted: May 5, 2016 by Jovi Umawing

Today, we’ve been alerted about an ongoing spam campaign against Skype users. The majority of those affected are in India, Japan, and the Philippines. Below is what the message looks like:

click to enlarge

The spam message contains Japanese katakana characters and a bitly link with the following format:

bit.ly/{7 randomly generated characters}?profile_image={Skype contact name}

I could be wrong (and please feel free to correct me), but if my very rusty Japanese serves me right, the text is read as “tsuyo“, which could either mean “strong” or “too much”. Considering the image of the file downloaded from the link, however, I’m personally inclined to believe that the message sender meant the latter. More about that in a few.

Once Skype message recipients click the link, they are directed to a compromised domain to download a file pretending to be an image, as you can see below:

click to enlarge

Below is the icon of the screensaver (SCR) file, which we have enlarged:

Malwarebytes Anti-Malware detects the malicious SCR file as Trojan.Injector.

Once executed, it phones back to servers located in China, Vietnam, and the United States, most of which already have a history of harboring malicious files. It also reads data from several configuration files and information about the machine its installed in, such as the computer name and its GUID, a unique identifier. Another noteworthy behaviour of this particular file, as noted here, is that it connects to an IRC server, possibly to join a botnet.

We also looked into the compromised domain and found that it doesn’t use a Web application firewall, making it easier for malicious actors to infiltrate and use the site for their nefarious deeds. As of this writing, we cannot reach the owners of the site to inform them of the compromise.

For those who are new to Skype spam, note that this modus operandi has been reused countless times, and it often yields successful results for the criminals. The texts and links have changed as time went on, but what will remain the same is it will continue to take advantage of people’s curiosity and trust that is already established between and among individuals in a network, regardless of size. When in doubt, never click links and confirm with the person who pinged you first if they have indeed sent you such a message. As we always say, it’s better safe than sorry.

Jovi Umawing

COMMENTS

xSolidFigure

Thanks for telling me. I have informed my friends about this.
Peach Drinkwater

if you receive any links from random people or have random people ask you to download files don’t do it it’s a trap
Wack0

Thanks for the sample, just did some rush unpacking and analysis.

The first binary, after the .NET crypter layer is unpacked (dnspy’s debugger helps immensely!), has SHA256 hash 64008FA4BAEB39FC76B72950BCE08278900468DF4B9F5C9DE87FC6DEABE8ACEF. It’s a native binary, which according to the pdb filename inside the exe is called “Trik”. The binary, after the usual anti-analysis and installation stuff, starts a few threads.

One thread does naive usb-spreading, with an autorun.inf that tries to add a new “Open folder to view files” entry, and either a .bat or a .js to launch the actual malware. This stuff gets copied to all removable drives that have a drive letter of C: or above, every 5 seconds on a loop.

Second thread, loops through all fixed drives, and in paths with “public_html”, “htdocs”, “httpdocs”, “wwwroot”, “ftproot”, “share”, “income”, “upload” and “warez” in their name, that isn’t in the recycle bin, it overwrites all .exes with itself, and adds itself as “README.txt.scr” in zips and rars. This is done once only on every startup of the malware.

Third thread checks every 3 seconds for various analysis processes (wireshark, netstat(!), procmon, netmon, sandboxie etc), and if one is running, it kills and removes itself.

Fourth thread does the IRC stuff. The bot doesn’t handle much, it just can download and execute other malware (the URLs are crypted, it wasn’t that hard for me to analyse the algorithm and decrypt them) , and do some “DoS” that’s basically, connect 200 times, sleep for x ms, close socket.

The malwr link in the blog post shows currently it’s trying to download and execute “s.exe” from two different hosts. It’s the same file, the unpacked file has SHA256 721EF545946F2F7B6402EFA74C6CB868FA0DA63D8E0B037A8C97709FB08A60AD and it’s called “Skyplex” according to the .pdb path in the file. As the name suggests, this is the file that does the skype spreading. It has messages in quite a few languages: de-DE, es-ES, fr-FR, pt-PT, nl-NL, vi-VN, ro-RO, nb-NO, mn-MN, cs-CZ, da-DK, hu-HU, nb-NO (again, it checks twice for it), fi-FI, sv-SE, hr-HR, tr-TR, sk-SK, sl-SI, et-EE, pl-PL, hy-AM, bg-BG, lv-LV, lt-LT, ar-SA, zh-CN, ru-RU, uk-UA, mt-MT, ga-IE (yes really, irish gaelic!), th-TH, ja-JP, ko-KR, he-IL, af-ZA, fa-IR, hi-IN, vi-VN (again, used as a default). Note that English is actually missing from this list!
Kate Brew

Does this malware require clicking on the link for infection?
Jovi Umawing

Hello, Kate 🙂 One needs to download and double-click the file before infection starts.

Hope this helps!
Jovi Umawing

Cheers! 🙂

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Jovi Umawing
Malware Intelligence Analyst

Technical writer, researcher, and marketing fellow fascinated by psychology, architecture, and supercars. A habitual night owl.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

TOP POSTS