A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashions them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then post tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used.
As Rik Ferguson mentioned, the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter.
Additionally, the spambot uses the URL shortener Doiop.com to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product.
What’s also interesting is that in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use.
Rik confirmed that Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories.
Share this article