Since yesterday there has been some massive spam runs that are distributing Tinba in Switzerland. Tinba (also known as Tinybanker, Illi and Zusy) is an ebanking Trojan that has been around for a few years now. While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet Command&Control (C&C) domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains.
Since yesterday, I have observed three distinct spam runs in Switzerland. The first one started on Jan 27, 2015 in the morning:
The spam emails pretend to be from generic bluewin.ch email addresses (bluewin.ch is a big free email service provider in Switzerland). However, if you look at the email headers its clear that the email is not coming from bluewin.ch itself, but from broadband lines all over the world (likely a botnet). The subject line looked like this:
… where X refers to a random digit, for example IMG402302 and IMG402302.
The first spam run of today pretended to be from a Swiss Telecom provider called Orange (orange.ch):
Just like the spam run from yesterday, the emails are not really originating from orange.ch, but from broadband lines located all over the world. The spammers used different subjects:
- Multimedia-Nachricht: XXXXXX
- MMS Id: XXXXXX
- MMS-Nachricht: XXXXXX
- Multimedianachricht: XXXXXX
… where X refers to a random digit, for example Multimedia-Nachricht: 415465 and MMS Id: 446869.
The most recent spam run I could observe today was a bit different. Instead of pretending to be an MMS from Orange, the spam emails claims to be an application for an open job position:
Obviously, these spammers have a some difficulties with the Umlaute (öäü) used in German, which makes the email quite suspect. This time, the spam emails were forged to look like they were sent from GMX.ch (another big free email service in Switzerland and Germany). The subject line looks like this:
- an sekretariat
- AW: an sekretariat
- AW: Bewerbung
- Fwd: an sekretariat
- Re: an sekretariat
- WG: an sekretariat
- WG: Bewerbung
Let’s take a closer look at the sending IP addresses. If we match them against Spamhaus CBL it turns out that they are all Cutwail infected IPs:
$ grep -F -f ips.txt spamhaus_ecbl
If we take a look at the attachments spread using these spam runs, we see that multiple malware binaries have been spread:
IMG_0927886_27_01_2015.zip MD5 dededad4a9979aa4f23b56bf2c038e17
-> IMG_8703219_27_01_2015.jpeg.exe MD5 2b31753f4650673f76dc17c251d21e71
IMG-27012014-WA0057.zip MD5 f399947a97bcaf1b561b196e9966639d
-> IMG-27012014-WA0015.jpg.exe MD5 5b4d91a1e98f8fdbbfd210d91a8435f9
Doc_Bewerbung-Januar2015.docx.zip MD5 5d2d057c4913be8e1ddb7187ea254491
-> Doc_Bewerbung-Januar2015.docx.exe MD5 5b4d91a1e98f8fdbbfd210d91a8435f9
As mentioned earlier in this post, the malware that is being spread through these spam runes appears to be a non-DGA version of Tinba. The malware itself calls out to one of the following botnet Command&Control Servers (C&Cs):
hXXp://serfanteg.ru/gr/ (126.96.36.199 – AS44050 PIN-AS, Russia)
hXXp://midnightadvantage.ru/pe/ (188.8.131.52 – AS44050 PIN-AS, Russia)
I recommend to block the mentioned domains (serfanteg.ru, midnightadvantage.ru) and IPs (184.108.40.206, 220.127.116.11) at your networks edge. I general, 18.104.22.168/24 looks quite suspect. So you may want to block the whole netblock. In addition, it would be a good advise to block filenames with multiple file extentions (e.g. .docx.exe and .docx.zip) on your email gateway.