Skype Messages Spreading DORKBOT Variants
As reported earlier by Rik Ferguson, users are facing more waves of Skype spammed messages. These attacks are being used to distribute various threats, including ransomware and infostealers.
These attacks, which arrive as Skype messages, ask if the user has a new profile picture:
The link (which includes the username of the recipient) goes to a file hosted at a legitimate file locker service. The file downloaded is a variant of the DORKBOT malware family, which is detected as WORM_DORKBOT.DN. This malware allows an attacker to take complete control of the user’s system. Its capabilities include password theft form various websites (including pornographic sites, social media, file lockers, and financial services), ransomware, and launching distributed denial-of-service (DDOS) attacks. The behavior that a user may see can vary significantly. It also has the capability to download other malware depending on the link provided by the C&C servers.
To spread via Skype, it downloads a separate component (detected as WORM_DORKBOT.IF). This component sends the same message to people in the user’s address book, restarting the cycle all over again. WORM_DORKBOT.IF checks the system locale and sends the message, lol is this your new profile pic in a language depending on the user’s geolocation.
As Countermeasures Blog reported, Trend Micro has detected and blocked over 2800 associated files in a span of 24 hours.
We’re currently monitoring this threat. We’ll update this blog entry with more details as they become available.