A new wave of rogue direct messages (DM) are making rounds in Twitter once more. Instead of the message “lol ur famous now”, as we’ve documented before, which coupled the Facebook link leading to a phishing page, the criminals behind this new campaign are now using “what on earth could you be doing in our movie”. Notice how the wording has deviated from its usual text-speak?
Clicking the link, facebook(dot)com(slash)516210881723975?a_disturbing, directs users to this page:
By this point, you, dear Reader, shouldn’t be thinking about whether you should enter your Twitter credentials in the fields provided or not. Just don’t.
If one does fill out the text boxes and click the Sign in button, they are taken to a page where a fake YouTube video is supposedly hosted. Users may get an impression that they’re still within the App page; however, the Facebook elements of this page are all fake.
Clicking Install downloads a file named FlasshPlayerV126.96.36.199.exe. Upon execution, it drops and executes a file named javas.exe, which is also malicious. Note that malware files served on this bogus site may change at random times.
Unlike the Twitter Video Facebook App we wrote about last September, this sample does not involve the Umbra botnet. Our findings suggest that it’s a stand-alone malware that simply performs its tasks on an affected system once it executes. Additional findings have also confirmed that the malware files do not establish any form of communication over the Internet nor do they steal information.
Our friends at Panda Security have recently analyzed another variant of this Twitter DM threat.
May this serve as a reminder that we should not just click links on DM messages sent our way, even if they come from friends, colleagues, or family members. Let us treat such messages with utmost caution. Alert the supposed originator of the DM and also warn your followers about suspicious DMs. Lastly, delete the DM in your Twitter inbox.
Jovi Umawing (Thanks to Jarred for the heads up)
Leave a reply