Perpetrators spread the banking Trojan as an file for installation of WhatsApp mobile messenger onto a user’s PC, says Kaspersky Lab in its blog.

According to the message, perpetrators have organized new spam campaign sent via email, which informs that the mobile messenger WhatsApp is now available for PC. However, those who try to install this application, in reality downloads banking Trojan.

Experts of the Kaspersky Las have received the message in Portuguese, which says that “finally WhatsApp is available for PC and that the user already has 11 invitations from his friends”. If users press the link for downloading, they are redirected to the hacked server located in Turkey and then forwarded to the cloud service called Hightail (former Yousendit), where they are offered to download the Trojan, which looks like 64-bit installation file.

In reality this is a standard 32-bit application, which is relatively easily detected by antivirus products. Once the application is launched it downloads a new banking Trojan. This harmful software is downloaded from the server located in Brazil and it is rarely detected by the anivirus software – 3 out of 49 according to the VirusTotal scale. Trojan’s icon makes it look like an mp3 file and many users may click on it. Moreover, it weights 2.5 megabytes.

In order to make the analysis of the harmful program harder, special features are added to the Trojan. In addition, the program itself is written in Delphi.

After the launch the Trojan is sending a report to the console owned by the criminals to show the contamination statistics. The stolen information is seте via the local port 1157, when it is opened. In addition, the harmful software loads other viruses onto the PC.

Source: RIA Novosti