Apparently WhatsApp has been growing in popularity in other parts of the world, as documented by a survey released in November by OnDevice Research which was headlined as Messenger Wars: How Facebook lost its lead which talked about the top Social Message Apps for mobile devices in five major markets: US, Brazil, South Africa, Indonesia, and China. While Facebook still lead in the US, and WeChat clearly dominates China, WhatsApp was the leading app in Brazil 72%, South Africa (68%), and Indonesia (43%).

But those of us who keep track of spam and email-based threats have been hearing about WhatsUp for several months. As the popularity of WhatsApp grows due to the new acquisition, we believe we will see it become an even more popular spam lure. At least three distinct spamming groups have already used WhatsApp as a lure for their scams.

SEPTEMBER 19, 23, 24, 25, 26 OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25 NOVEMBER 14 JANUARY 9, 13, 15, 20, 28

WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware

At the time we received this file, VirusTotal was showing a 7 of 48 detection rate. (When the file was last checked, December 4, 2013, the detection rate had improved to 36 of 48 AV products.)

An excellent student paper by Shaked Bar from August 15, 2013, describes Kuluoz’s role in dropping additional malware. This diagram is from his paper, Kuluoz: Malware and botnet analysis which was submitted as Mr. Bar’s Dissertation for his Masters of Science in Computer Science.

At the time of Shaked Bar’s paper, the prominent delivery mechanisms were spam messages imitating UPS and DHL. He also notes an earlier spam campaign from April 2013 imitating American Airlines. Bar’s paper is well worth reading as he explains how C&C traffic is XOR’ed with the byte 0x2B to test the ability of the bot to send spam as well as other potential uses. Mr. Bar documents more fully the possible tertiary malware including Zeus (Zbot), ZeroAccess, and FakeAV. The malware uses the commercial geolocation service from MaxMind to identify its location, and the location may be instrumental in determining what additional malware should be installed.

And these were the sites for September 25th:

WhatsApp Spam Used by Cutwail Botnet to deliver Upatre => Zeus Malware

Here is what the Cutwail-delivered version of the WhatsApp spam looked like on January 28, 2014:

This version of Upatre connects to the Internet to download an encoded version of GameOver Zeus to allow safe passage through any blocking and detecting methods. This model of downloading an undetectable version that is then decoded into a fully functional Zeus malware by the Upatre module was documented in this blog in our story GameOver Zeus now uses Encryption to bypass Perimeter Security. In the case of the January 28th WhatsApp malware, the Zeus .enc file came from either:

WhatsApp Spam Delivering Canadian Health & Care Mall links?


Reviewing 50 URLs of this type, with names such as “reactivates.php” or “” or “gaelicizes.php”, there were only the four redirections:

Leave a Reply

Your email address will not be published. Required fields are marked *