Security Experts at Malwarebytes have discovered a malicious scam spreading malicious links via Twitter. The cyber criminals behind the spam campaign are spreading malware through rogue tweets by a number of bogus Twitter accounts, they tried to deceive victims with a link to a story that says the United States Government is trying to shut down Bitcoin.
“The majority of the accounts pushing these things are clearly fake, using gathered Twitter handles to launch the barrage of malicious spam at the Twitterverse,” wrote Adam Kujawa of Malwarebytes in a blog post.
The experts are also alarmed by the use of some legitimate accounts to send the spam messages, it is not clear if the account were hacked or the owners have simply re-twitted them without verifying their content.
“one user had over 500 followers and tweeted nothing more than a shortened URL that looked like it might be coming from Linkedin”
The tweets contain links to a news video on the Wall Street Journal, when victims click on the link will be first asked to install Adobe Flash Player.
If victim click on the Install button, it will start dropping a piece of malware that could allow download of further malicious payload.
“Clicking the “Install” button will offer the user the option to download the flash player files, when accepting they are provided with a RAR file that includes four files: The two DLLs and ReadMe.htm file all appear legitimate, however the Install_Adobe_Flash_Player.exe (third one down) is not so harmless. Upon launching it, the file itself is relocated to the systems Temp folder and made hidden.”
Analyzing the malware the researchers discovered that the malicious code is a remote access Trojan (RAT) probably related to the Darkcomet RAT.
“According to my own dynamic analysis, the malware creates an establish connection with a remote server and drops additional malware, such as the “notepad.exe” that is found in the Temp folder and beaconing out to the same remote server as the initial Install file,” wrote Adam.
The URL used in the campaign references the domain “www.siam-sunrise.com” which belongs to a website for a business in Thailand, meanwhile the theme used for the phishing landing page looks quite legitimate to the Wall Street Journal website. The phishing page also includes a WSJ logo to trick the visitors.
The use of social media for phishing campaign is not new, in the last months in different cases, cyber criminals exploited the powerful platform to spam malicious links.
Twitter has already shut down numerous accounts related to the specific spam campaign.
I suggest users to carefully check before clicking any suspicious link or re-tweet it.