Those strange e-mails with URLs in them can lead to Android malware
You've probably gotten a few of these e-mails over the last few months (I saw the first one of this latest kind in early Feb), we got one to the handlers list earlier this week which prompted this diary. They seem pretty innocuous, they have little or no text and a URL like the one shown below.
Note: the above link doesn't lead to the malware anymore, so I didn't obscure it.
Most seem to be sent from Yahoo! (or Yahoo!-related e-mail addresses), so they may be coming from addresses that were compromised during the breach of Yahoo! back in January. The odd thing about this is that, if you follow the URL from a Linux, Windows, or Mac you get a spammy website (I don't remember if it was Canadian pharmacies, or what), but what a colleague of mine at $dayjob (all credit goes to Stan) discovered is that if you opened the e-mail on an Android device (or followed the links with an Android user-agent and referrers), this instead leads to downloading of the latest version of the DroidNotCompatible Android malware (which is, itself, and interesting specimen, but I'll leave that for another diary). The first URL led to a 302 redirect to a page that included the malicious APK in a META refresh tag. You can change the user-agent string with the -U switch to wget or the -A switch to curl if you want to try grabbing things from the Linux/Unix commandline (which is, of course, how you all surf the internet anyway, right?).
The take away, if there is one, is that when tracing suspicious URLs, don't just assume the site is not interesting just because nothing bad happened when you looked at it from your sacrificial browsing environment (you all have one of these whether you realize it or not, the bad news is it may be your main system). Try with additional user-agents (and/or referrers) and see what happens. Do you have a collection of your favorite user-agent strings you like to use? If there is enough interest, perhaps we'll put up a page either here on the main site or over on the handlers server with some of the more useful ones.
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago