Malware researcher Dancho Danchev is reporting a widespread social engineering campaign on Skype that is spreading a variant of the Poison Ivy Trojan.
The Poison Ivy remote administration tool (RAT) was employed in the infamous RSA breach last year to glean authentication credentials that allowed access to other systems in the company's network.
Danchev had received an early morning Skype message from a trusted contact that was typical of a social engineering attempt. The note said “hahahahaha foto” and contained a link to "hxxp://random_subdomain.photalbum.org".
Danchev noticed that the message was being sent to a large number of contacts in a group, and being a malware expert, he immediately had suspicions and began investigating - here is what he found:
"Once the socially engineered clicked on the link, a Download window will automatically prompt them to download the following file - Photo9321092109313.JPG_www.facebook-com.exe. Notice how the cybercriminals behind the campaign try to trick end users into thinking that they’re about to open an image file, potentially coming from Facebook. In reality though, it’s an executable," Danchev explains.
Less than half of the 42 commercial antivirus solutions surveyed are able to detect the Trojan's signature.
"The Photo9321092109313.JPG_www.facebook-com.exe sample has the following MD5, MD5: bc3214da5aac705c58a2173c652e031e, currently detected as Trojan.Win32.Jorik.PoisonIvy.yy, Trojan.Win32.Diple!IK by 16 out of 42 antivirus engines. Upon execution the binary, creates a batch script, installs a program to run automatically at logon, and creates a thread in a remote process," said Danchev.
Danchev analyzed the malware's payload and discovered it was delivering a version of the Poison Ivy Trojan, a common tool employed by malware propagators.
"What’s so special about the payload anyway? The payload is a copy of the infamous Poison Ivy DIY RAT (Remote Access Tool) also known as a trojan horse or backdoor. The attackers chose this easy to obtain RAT for serving malicious code, compared to a situation where they would need to code it from scratch," warns Danchev.
Danchev goes on to explain how this malware campaign is a prime example of the use of social engineering exploits that prey on a target's innate trust and lack of situational awareness.
"Hijacked trusted and legitimate Skype accounts are invaluable from a social engineering perspective. Trust is vital, even novice end users know it. If the cybercriminals were to automatically register thousands of bogus accounts, they would attempt to only target users who allow the receiving of messages from users who are NOT on their contact list," said Danchev.
Aside from spam messages one may receive from unknown sources, Danchev warns that even messages from trusted contacts should be cause for caution, as campaigns such as this one may involve compromised accounts.
"Although millions of Skype users continue receiving these messages, the majority of successful malware campaigns using Skype as propagation vector, tend to involve trusted and compromised Skype accounts in an attempt to increase the probability of a successful infection," Danchev concluded.
As always, think twice before clicking a link, even from a trusted contact. More details on the malware campaign can be found here: