Twitter Accounts Spamming Malicious Links

New spamming campaign has been observed by TrendMicro that is spreading on twitter, the malicious shortened URLs contain a JPEG file from a Facebook domain. Files with extension .JPEG are usually image and pictures extension but here link lead to a worm detected by Trend Micro as WORM_KOLAB.SMQX .

The interesting point that cybercriminal added Facebook.com into link to make the domain strikingly similar to real Facebook domain.  facebook.com.{BLOCKED}e-505.tk is the url and by opening the webpage victim launch executable file http://{BLOCKED}f.by /images/news/Photo-G05971.jpeg.exe.

This Worm will add registry entries to enable its automatic execution at every system startup. It infects any USB device and it copies itself on the clean USB, and connects to Internet Relay Chat (IRC) servers to execute remote instruction for a malicious user.

For this case Malware start by creating a new directory “aaa” that contain 3 files 3kal.cmd batch file to execute the mamatije2.exe and hsbca.exe .  mamatije2.exe is a Bitcoin miner that connects to the malicious link http://y.{BLOCKED}ame:8332/ with wrong login and password predefined. Cybercriminals are making income by running a free Bitcoin miner application on victim’s computer.

When you are using twitter you need to be vigilant where you are clicking and use as much as possible long URL functionality. Try to trust people you are following but verify links before opening or retweeting them.

Share