For a slight change of pace the botnet that has been delivering the "What's My App" multi-platform malware we wrote about here has been delivering a smaller differently themed campaign to coincide with the masses of the aformentioned.

WeddingInviteMalware resized 600

This campaign is coming in the form of a wedding evite, specifically from the White Wedding Agency. This tactic has been used a couple of times this year already, but it hasn't quite as sophisticated as this latest run. If the link is clicked, the viewer is taken to one of a number of infected websites that, as mentioned in the previous article, wait to see what the user is using to connect before making a decision on what its actions will be. This version seems to prefer PC's more than mobile devices however as all of the infected sites I have tested have reacted the same way. If the website detects the victim is using Firefox or IE to connect it will first use the connecting IP to determine where the victim is located using IP geolocation and then it will push down a file customized with the victim's city in its name. The ones we pulled here in sunny Florida were named as such "Wedding_Invitation_Gulf_Breeze(.exe)". If the infected weebsite detected that the victim was using Androis OS, iOS, or Safari to connect that same site would serve up a 404 Not Found Page. I would have to believe that the mobile malware exists in this campaign as it does in the What's My App campaign, but I have yet to see one that accepts a mobile connection.

Wed2 resized 600

The file that the PC victim receives is compressed in a zip file of the same name, different extension of course. The executable uses a packer by the name of AsPack to help jumble its code and to make it a little more difficult to reverse engineer. Once executed the malware injects itself into a generic process svchost.exe from there it makes a sleep call and then begins checking to see if it's in a debugger. Once this process is complete and it feels safe to move on, it creates the file okqfduln.exe in the C:\%AppDataLocal% directory and the original service deletes itself. Finally, the malware goes to town on the browser scraping browsing history, cookies, and modifies the browser proxy settings to redirect future http requests by the victim. This malware then sends info back to its command and control server and waits for further commands.

Stay alert and avoid scams like these. AppRiver and SecureTide have you covered on this one.


Subscribe Here!