Earlier this month, the Comodo Threat Research Lab team identified a new malware attack targeted specifically at businesses and consumers who might use WhatsApp. As part of a random phishing campaign, cybercriminals were sending fake emails representing the information as official WhatsApp content to spread malware when the attached “message” was clicked on.
Now, researchers at the Threat Research Lab have identified a very similar phishing campaign targeted at businesses and consumers who use Facebook – most likely designed by the same cyber criminals who developed the WhatsApp malware.
And just like the WhatsApps malware, the new Facebook malware tries to represent itself as an email from Facebook which states there is a new message for the recipient.
The email address and sender’s name tries to brand itself as Facebook, but the sender’s email address is from different domains and not in any way related with the Facebook company.
The subjects of the emails that contain the malware are also very similar to the WhatsApp subject lines, being varied in their approach:
- A brief vocal e-mail was delivered. sele
- An audio announcement has been delivered! Lucqmc
- An audible warning has been missed. Yqr
- You got a vocal memo! Fcqw
- You recently missed a short audible notice. Rtn
- Ein Videohinweis wurde vermisst! squy (German for “a video note was missed”)
Each subject line ends with a set of random characters like ‘sele’ or ‘Yqr’. These are most likely being used to bypass antispam products.
The malware in the email itself is in a .zip file, sent as an attachment. Inside the zip file there is an executable file. Upon executing the file (e.g. clicking on the attachment), the malware will automatically replicate itself into “C:\” directory and add itself into an auto-run in the computer’s registry, spreading the malware.
Additionally, like the WhatsApp malware, the engineers have Comodo have also identified this new Facebook malware as a variant of the “Nivdort” malware family.
The Comodo Threat Research Lab team identified this phishing email campaign through IP, domain and URL analysis.
“In this age of cyberattacks, being exposed to phishing is a destiny for every company, well-known or not. It may not be the most groundbreaking attack method cybercriminals use — but there’s no denying that cybercriminals are becoming more clever when crafting their messages. More frequently, they’re using well-known applications or social platforms and also action-oriented language in the subject lines to entice recipients to open the emails, click the links or attachments and spread the malware,” said Fatih Orhan, Director of Technology for Comodo and the Comodo Threat Research Lab. “Users should be cautious of any email that requires information or that redirects to a URL Web page— and especially if there is a file download. Comodo is working around the clock to stay ahead of cybercriminals’ next moves by creating innovative solutions that protect and secure endpoints and keep enterprises and IT environments safe.”
The Comodo Threat Research Labs team is made up of more than 40 IT security professionals, ethical hackers, computer scientists and engineers, all full time Comodo employees, analyzing and filtering spam, phishing and malware from across the globe. With offices in the U.S., Turkey, Ukraine, the Philippines and India, the team analyzes more than 1 million potential pieces of phishing, spam or other malicious/unwanted emails per day, using the insights and findings to secure and protect its current customer base and the at-large public, enterprise and Internet community.
For more information about the malware Nivdort, refer to https://file-intelligence.comodo.com/windows-process-virus-malware/Nivdort
A screen grab of the malicious email has been captured below: