Monthly Archives: March 2013

Fake Booking Emails Hitting CH and DE

Around 09:00 UTC, the cutwail spam botnet started to send out a new spam campaign targeting Swiss and German internet users. This spam campaign seems to be linked to the fake Swisscom and T-Mobile emails we have seen recently.

This time, the criminals send out fake booking emails that looks like this:

From: “”
To: spamtrap
Subject: Reservierung [98588048], Mon, 18 Mar 2013 17:23:24 +0800


Buchungsnummer: SN2699862
Buchungsdatum: Mon, 18 Mar 2013 17:23:24 +0800
Mehr Details in der beigefugten Datei

Anreise: 23.03.2013 Anzahl Nächte: 1
Abreise: 24.03.2013 Gesamtanzahl Personen: 1
Preis: 73,89 EUR
Der Gesamtpreis beinhaltet 3,93 EUR Steuern und Abgaben.

Hinweis: Diese Buchung ist per Bankkarte gesichert.
Mit freundlichen grüßen
Ihr AG – –

The email contains an attachment called that contains an Windows executable:

Filename: HotelReservierung8300754911.PDF.exe
Filesize: 124’287 bytes
MD5 hash: 9b81080a24495269caf15637fe3908c1 2 / 37

The file contains the same dropped that we have already seen in the recent Swisscom / T-Mobile spam mails, called Andromeda (also known as Gamarue). Once the file gets executed, the Trojan installs itself on the system and tries to connect to the following botnet command&control server (C&C):

POST /wp-rss2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache


The domain name is registered through a in Poland based domain registrar called “Domain Silver Inc”:

registrant type: individual
created: 2012.12.10 15:11:20
last modified: 2013.03.14 07:15:00
renewal date: 2013.12.10 15:11:20

no option

dnssec: Unsigned
TECHNICAL CONTACT: data restricted

Domain Silver Inc.
1st Floor, Sham-Peng-Tong
Plaza Building, Victoria, Mahe
tel.: +1.3236524343

Based on the geo location of the victim, the Trojan drops additional malware like Torpig/Mebroot, Citadel or Feodo/Cridex.

Since the domain name published an SPF record and the sending IP addresses are already listed on Spamhaus ZEN, the impact caused by this threat should be limited (unless you use a poorly configured spam filter).

As usual, I recommend you to block the following domain names and IP addresses which are associated with this threat on your network edge / web gateway:

Fake Swisscom And T-Mobile Emails Hitting CH and DE

This morning I’ve spotted two spam campaigns hitting German and Swiss internet users, by abusing the name and reputation of two well known players in the telephone sector: Swisscom (CH) and T-Mobile (DE).

Below is a spam sample that has been sent out by the Cutwail spam botnet this morning hitting Swiss internet users:

To: spamtrap
Subject: MMS

Description: Swiss Telecom

Telefonnummer +41*random-number*

Wenn der Adressat ein MMS nicht empfangen kann (weil er kein MMS-fähiges Handy hat oder wenn mit seinem Netzanbieter keine MMS ausgetauscht werden können) erhält er ein SMS mit einer MMS-ID. Auf der Website von Swisscom kann er das MMS mit dieser MMS-ID abrufen.

It’s an HTML email that embeds the Swisscom-Logo:

Screenshot Spammail

The email is written in German and says that if the recipient gets an MMS and his mobile phone isn’t able to display MMS or his network provider doesn’t support it, he will get an SMS with an MMS-ID. The receipient can enter this MMS-ID on the Swisscom website to view the MMS he just has received. If you Google that text you will notice that the criminals just copied that text from Swisscom’s official website:

The spam email has a ZIP-Archive ( attached that contains a Windows executable (.exe) infected with Andromeda (also known as Gamarue):

Filesize: 30’724 bytes
MD5 hash: 2c1a7509b389858310ffbc72ee64d501
Virustotal: 20 / 45

Once the recipient executes the Windows executable, the Trojan installs itself into the profile of All Users:

C:\Documents and Settings\All Users\dxalrjtj.exe

Andromeda/Gamarue uses some anti-VM mechanism to make sure that it only gets executed on a physical system. As soon as the Trojan infected the victims machine, it starts to communicate with the botnet C&C using the HTTP protocol:

POST /soap.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache


The botnet C&C server is located at which is registered through a Russian based domain registrar called “NAUNET”:

domain: OPHIA.RU
person: Private Person
registrar: NAUNET-REG-RIPN
created: 2012.12.10
paid-till: 2013.12.10
free-date: 2014.01.10
source: TCI

The domain name has several A records: [] [] [] [] []

Googling for the mentioned botnet C&C domain will reveal an interesting forum post on Obviously the criminals sent out a similar spam campaign today targeting German internet users, by abuse T-Mobile’s brand. The attackers used a different subject line and email body, but sent out the same malicious file (MD5 hash: 2c1a7509b389858310ffbc72ee64d501).

Fortunately, I’ve some good news for you: All these spam emails I’ve seen hitting my spamtraps today have been blocked by Spamhaus ZEN. So if your spamfilter is checking the sending IP address of an email against ZEN, most of these spam emails should have been blocked. Secondly, Swisscom did their homework and already published an SPF record for their domain name a long time ago:

$ dig +short TXT
“v=spf1 ip4: -all”

If your spamfilter is configured to check the SPF record of the sending domain, all these spam messages should have been rejected on your email gateway.

To mitigate this threat, you should ensure that you:

  • Check incoming emails against Spamhaus ZEN
  • Enable SPF checking on your spamfilter / email gateway
  • Block the botnet C&C domain name and the associated IP addresses (see below)
  • configure your clients to show file extensions for known file types (MMS-XXX.jpg.exe)

Associated domain names / IP addresses to block on your firewall / gateway: