New Skype spam leads to Trojan download

New Skype spam leads to Trojan download

Today, we’ve been alerted about an ongoing spam campaign against Skype users. The majority of those affected are in India, Japan, and the Philippines. Below is what the message looks like:

skypechat

click to enlarge

The spam message contains Japanese katakana characters and a bitly link with the following format:

bit.ly/{7 randomly generated characters}?profile_image={Skype contact name}

I could be wrong (and please feel free to correct me), but if my very rusty Japanese serves me right, the text is read as “tsuyo“, which could either mean “strong” or “too much”. Considering the image of the file downloaded from the link, however, I’m personally inclined to believe that the message sender meant the latter. More about that in a few.

Once Skype message recipients click the link, they are directed to a compromised domain to download a file pretending to be an image, as you can see below:

skype-dl-file

click to enlarge

Below is the icon of the screensaver (SCR) file, which we have enlarged:

skype-scricon

Malwarebytes Anti-Malware detects the malicious SCR file as Trojan.Injector.

Once executed, it phones back to servers located in China, Vietnam, and the United States, most of which already have a history of harboring malicious files. It also reads data from several configuration files and information about the machine its installed in, such as the computer name and its GUID, a unique identifier. Another noteworthy behaviour of this particular file, as noted here, is that it connects to an IRC server, possibly to join a botnet.

We also looked into the compromised domain and found that it doesn’t use a Web application firewall, making it easier for malicious actors to infiltrate and use the site for their nefarious deeds. As of this writing, we cannot reach the owners of the site to inform them of the compromise.

For those who are new to Skype spam, note that this modus operandi has been reused countless times, and it often yields successful results for the criminals. The texts and links have changed as time went on, but what will remain the same is it will continue to take advantage of people’s curiosity and trust that is already established between and among individuals in a network, regardless of size. When in doubt, never click links and confirm with the person who pinged you first if they have indeed sent you such a message. As we always say, it’s better safe than sorry.

Jovi Umawing

ABOUT THE AUTHOR

Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.