Fake WhatsApp message with attached ZIP contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subjects like:

Du hast einen Videobeleg! obpmv
Il y a un message vidéo. vxam
Usted tuvo un documento auditivo cnhm

This email is send from the spoofed address “WhatsApp <****@*****.***>” and has the following body:

WhatsApp

Angeheftet:
Annelore Kromer (07:05 AM)

WhatsApp

Attaché:
Genest Rateau (05:59 AM)

WhatsApp

Anexo:
Francesca Mulet (10:52 PM)

Screenshot of one of the messages:

In one of our analyzed samples, the attached file jaylin58.zip contains the 360 kB large file albinson.exe.

The from address, subject, body of the email, filenames of the ZIP and extracted file will vary with each email. The email itself is stating that a video is present, according to the subject.

The malware is detected as Trojan.Kazy.DBF9D5, W32/Nivdort.F.gen!Eldorado, Gen:Variant.Kazy.784853 (B), Trojan.Tinba.cbd, Hacktool ( 655367771 ) or Troj/Nivdort-CZ by 24 the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 91150983cf71175fba9169b4489a7f9bd2a0bd212b223119f62a74a6634d60ff