WhatsApp malware Nivdort
WhatsApp users have been targeted by the Nivdort malwareGetty Images

Instant messaging service WhatsApp has recently become the victim of a new malware attack. Basically targeting businesses and consumers who use the service, cybercriminals are sending fake emails camouflaged as official WhatsApp content to spread the malware.

It was first spotted by cybersecurity firm Comodo Labs, which claims the malware belongs to the Nivdort family that replicates itself into different system folders.

These phishing emails are sent from a rogue email address and are disguised to appear as if they originated from WhatsApp. The group or individual behind the malware has not yet been identified, but several means are being used to send emails to spread it. The emails read like the following and each mail uses a set of random commands such as xgod or Ydkpda.

WhatsApp malware Nivdort
Screenshot of the rogue email used to spread malware Comodo
  • You have obtained a voice notification xgod
  • An audio memo was missed. Ydkpda
  • A brief audio recording has been delivered! Jsvk
  • A short vocal recording was obtained npulf
  • A sound announcement has been received sqdw
  • You have a video announcement. Eom
  • A brief video note got delivered. Atjvqw
  • You've recently got a vocal message. Yop

The email attachment contains a zip file. When the user opens the zip file and executes it, the malware spreads directly on to the computer. The Comodo team has said it has identified the WhatsApp phishing email through its IP and domain and is analysing its URL.

Fatih Orhan, director of technology for Comodo and Comodo Antispam Labs said, "Cybercriminals are becoming more and more like marketers — trying to use creative subject lines to have unsuspecting emails be clicked and opened to spread malware. As a company, Comodo is working diligently in creating innovative technology solutions that stay a step ahead of the cybercriminals, protect and secure endpoints, and keep enterprises and IT environments safe."