Twitter Accounts Found Spamming Malicious Links

Wednesday, September 07, 2011





A new spamming campaign has been observed by TrendMicro that is spreading on Twitter with malicious shortened URLs that contain a JPEG file from what appears to be a Facebook domain.

Files with the extension .JPEG are usually images and picture extensions, but here they link lead to a worm as WORM_KOLAB.SMQX as detected by Trend Micro (click image to enlarge):


The interesting element is that the cybercriminals added "" into the link to make the domain strikingly similar to the real Facebook domain "".{BLOCKED} is the malicious URL, and by opening the webpage the  victim launches an executable file: http://{BLOCKED} /images/news/Photo-G05971.jpeg.exe.

This Worm will add registry entries to enable automatic execution at every system startup. It can also infect any USB device, and it copies itself on the clean USB then connects to Internet Relay Chat (IRC) servers to execute remote instructions issued by the attacker.

In this case, the malware starts by creating a new directory “aaa” that contain 3 files: 3kal.cmd batch file to execute the mamatije2.exe and hsbca.exe .  

"mamatije2.exe" is a Bitcoin miner that connects to the malicious link http://y.{BLOCKED}ame:8332/ with an incorrect login and password predefined. Cybercriminals are thus making an income by running a free Bitcoin miner application on a victim’s computer.

When you are using Twitter, you need to be cautious when you are clicking shortened URLs, and you should use as much as possible the long URL functionality instead. It's nice to trust people you are following, but verify links before opening or re-Tweeting them.


Possibly Related Articles:
Viruses & Malware
Twitter Facebook malware Worm Remote Access Headlines Short URL JPEG Bitcoin
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.