We recently examined a sample, detected as Program:Win32/Pameseg.P (SHA1: 089e7ec8ee2ca4be0fff079e39ef26110a8de78e), that appears to be a new version of "LoviVkontakte", an application for the Russian social networking website "vkontakte". This sample asks for money by way of requesting an SMS to a premium number to continue installation. We've seen similar behavior in the past with the malware families Wintrim and Ransom.
With this sample, it became apparent that things were not as they seemed. The file name for the installer was "lovi-v-kontakte-v260.exe", while the current version of the legitimate program is 2.41.
When run, Program:Win32/Pameseg.P displays an interface that is split into two panels. The first panel is for an extractor called "WinArc":
Image 1 - "WinArc" extraction window
The second panel is a display for an end-user license agreement (EULA):
Image 2 - EULA displayed
This approach is slightly different from normal installers in one way; EULAs are commonly included in the installer package however this EULA panel is loaded from a predefined webpage within the site "downloadfast.ru". The content could change from the above at a future point and the site “downloadfast.ru” is currently registered to a single individual. Our recommendation is that users do not visit the site.
At the top of the webpage containing the EULA is a button that basically translates to "Click Extract to continue the process of unpacking". Once the user clicks the button, the application appears to "extract" the archived content, even displaying a progress bar for the installation process:
Image 3 - Progress meter during "extraction"
Towards the end of this simulated extraction, an "error" occurs and the user is asked to send an SMS to a premium number in order to receive a code for the installation to continue:
Image 4 - SMS message request to complete the installation process
The above text translates as the following:
Archive is password protected
You need to send 1SMS
Enter password from the received SMS
The drop-down box in the message includes the the following targeted countries: Russia, Ukraine, Azerbaijan, Belarus, Armenia and Kazakhstan, as shown below:
Image 5 - drop-down list of countries targeted
There are two interesting items about this fake installer, the first of which is that it breaks the user interface in two components, one being hosted on a website, allowing the content to be changed anytime. The second interesting component is that the password you receive when you send the SMS is not checked by the application, it is instead checked directly by the web component, again allowing dynamic validation.
Upon further inspection of the EULA mentioned above, text within section one loosely translates to the following text, with special note to this translated text that we’ve highlighted in red:
“1. General - downloadfast.ru, hereinafter-Subscriber Services Site provides training in bit-torrent networks by providing detailed instructions, refer to free software that lets you work with them, and describes in detail all steps necessary to achieve the desired content to it. To gain access to educational opportunities for work in the bit-torrent networks, subscribers would have to pay a fee for using the service.
Payment shall be made by sending a 3 (three) SMS-message to short number. Price per message varies from region to region and country of residence of the Subscriber.
Send SMS-message allows the user to use the service within 1 (one) day. After this period you will be asked to pay again. Site downloadfast and his servers contain only text content, providing training services only in bit-torrent networks tools provide detailed instructions and links to free software to work with them, and describes in detail all steps necessary to achieve the desired content to it.“
The installation will continue once the SMS received code is correctly entered. We didn’t continue with the installation as the scope of our investigation was centered around the social engineering aspect, and the fact that we didn’t envisage paying out of pocket.
Stay safe and use best practices - always check with the original vendor website when downloading applications.
Andrei Saygo && Patrik Vicol