Spammed Facebook Links Lead to Reveton

Traffic chain:

ctlp.co/phm (shortened link – 302)
schnitzelfvideop.tk/84ae.html (frame to load next link)
zvlks.gormless.org/208.html?qbzsyl (page with html encoded links to download exe)
208.131.138.217/imagedl11.php (exe – application/force-download)
208.131.138.218/imagedl11.php (exe – application/force-download)

An example page can be found here. The links are just HTML Encoded and they will decode to the exe links.

See more examples on UrlQuery.net

The resulting exe will match the filename regex below.

(Me|You|Iam)(Funny|Naked|Nice|Sexy|Whore|Lol)(PIC|TIFF|PNG|GIF|BMP|JPEG)\.exe$

Many comments about this can be found on mywot.

Unpacked EXE on VT
Packed EXE on VT

Comments are closed.