{"id":14945,"date":"2013-10-28T00:00:37","date_gmt":"2013-10-28T06:00:37","guid":{"rendered":"https://www.webroot.com/blog/?p=14945"},"modified":"2018-10-05T13:01:04","modified_gmt":"2018-10-05T19:01:04","slug":"fake-whatsapp-voice-message-notification1-new-voicemail-themed-emails-lead-malware-2","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/10\/28\/fake-whatsapp-voice-message-notification1-new-voicemail-themed-emails-lead-malware-2\/","title":{"rendered":"Fake WhatsApp ‘Voice Message Notification\/1 New Voicemail’ themed emails lead to malware"},"content":{"rendered":"

WhatsApp users, watch out! The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile<\/strong><\/a>, and Sky<\/strong><\/a>, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification\/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts. The good news? We’ve got you (proactively) covered.<\/p>\n

<\/p>\n

Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"WhatsApp_Email_Spam_Malware_Malicious_Software_Social_Engineering_Cybercrime\"<\/a><\/p>\n

Detection rate for the malicious attachment:<\/strong> MD5:\u00a00458a01e42544eacf00e6f2b39b788e0<\/strong><\/a> – detected by 31 out of 48 antivirus scanners as\u00a0Trojan.Win32.Sharik.qhd<\/p>\n

Once executed, the sample creates the following Registry Keys on the affected hosts:<\/strong>
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sewwe
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sewwe\\ShellNew
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\DefaultIcon
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\shell
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\shell\\open
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\shell\\open\\command
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\shell\\print
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\shell\\print\\command
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\shell\\printto
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\S6.Document\\shell\\printto\\command
\nHKEY_CURRENT_USER\\Software\\Local AppWizard-Generated Applications
\nHKEY_CURRENT_USER\\Software\\Local AppWizard-Generated Applications\\S6
\nHKEY_CURRENT_USER\\Software\\Local AppWizard-Generated Applications\\S6\\Settings<\/p>\n

It then attempts to download additional malware from the well known C&C server at networksecurityx.hopto.org<\/strong><\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from this threat.<\/p>\n","protected":false},"excerpt":{"rendered":"

WhatsApp users, watch out! The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification\/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[5595,5583,5587,5593,4849,5581,5585,5577,3877,4065,3477,5597,3875,3529,5591,5589,5579],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14945"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=14945"}],"version-history":[{"count":8,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14945\/revisions"}],"predecessor-version":[{"id":25747,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14945\/revisions\/25747"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=14945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=14945"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=14945"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=14945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}