Web Reputation Services (WRS) encountered spammed malicious shortened URLs on Twitter that appear to contain a .JPEG file from a Facebook domain. The said .JPEG file is, in fact, not a picture file but an executable file already detected by Trend Micro as WORM_KOLAB.SMQX. Searching for the image file using Twitter‘s search function reveals an updated list of users who Tweeted the same malicious link.
Clicking the links redirect to a shortened Twitter URL (http://t.co). Most of these Twitter users are from Indonesia. To lure users to click the URL, cybercriminals incorporated Facebook.com into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to facebook.com.{BLOCKED}e-505.tk . It contains the downloadable file http://{BLOCKED}f.by /images/news/Photo-G05971.jpeg.exe, which is included in the frame set of facebook.com.{BLOCKED}e-505.tk. Since September 2 2011, approximately 600 Tweets using the same link have been posted.
 |
When users post a Tweet, it is followed by the malicious link, http://www.facebook.com.{BLOCKED}e-505.tk/Photo-G05971.jpeg, with the text “hahaha!!!” It is also used in the re-Tweet and reply feature of Twitter.
 |
What happens after running the malicious file? Upon checking Local Settings, we found that the file creates a directory named aaa with the following files:
- 3kal.cmd: A batch file that contains the command for executing mamatije2.exe.
- hsbca.exe: A normal file (Hidden Start v3.2).
- mamatije2.exe: Already detected as HKTL_BITCOINMINE.
 |
The file mamatije2.exe is a Bitcoin miner that connects to the malicious link http://y.{BLOCKED}ame:8332/ using the user name mrdd_ludacha and the password mama1. The login credentials don’t work and display a bad request (HTTP 400). Bitcoins are digital coins or a virtual currency you can send through the Internet via peer-to-peer (P2P) sharing. Bitcoins are generated over the Internet by running a free Bitcoin miner application.
Apart from the other Tweets, it will connect to other malicious sites, which host the following malicious files:
- http://robertpattinson.{BLOCKED}ion.org/pictures/Calc-3-9-2011.jpeg: Detected by Trend Micro as HKTL_BITCOINMINE.
- http://{BLOCKED}alokab.go.id/images/news/JohnLennon-Imagine.exe: Detected as WORM_KOLAB.SMQX.
Notice that it uses the names of famous personalities like Robert Pattinson and John Lennon.
All related URLs are already being blocked and all files are already being detected as WORM_KOLAB.SMQX by the Trend Micro Smart Protection Network.
