Fake Swisscom And T-Mobile Emails Hitting CH and DE

This morning I’ve spotted two spam campaigns hitting German and Swiss internet users, by abusing the name and reputation of two well known players in the telephone sector: Swisscom (CH) and T-Mobile (DE).

Below is a spam sample that has been sent out by the Cutwail spam botnet this morning hitting Swiss internet users:

From: noreply@swisscom.ch
To: spamtrap
Subject: MMS

Description: Swiss Telecom

Telefonnummer +41*random-number*

Wenn der Adressat ein MMS nicht empfangen kann (weil er kein MMS-fähiges Handy hat oder wenn mit seinem Netzanbieter keine MMS ausgetauscht werden können) erhält er ein SMS mit einer MMS-ID. Auf der Website von Swisscom kann er das MMS mit dieser MMS-ID abrufen.

It’s an HTML email that embeds the Swisscom-Logo:

Screenshot Spammail

The email is written in German and says that if the recipient gets an MMS and his mobile phone isn’t able to display MMS or his network provider doesn’t support it, he will get an SMS with an MMS-ID. The receipient can enter this MMS-ID on the Swisscom website to view the MMS he just has received. If you Google that text you will notice that the criminals just copied that text from Swisscom’s official website:

http://www.swisscom.ch/de/privatkunden/hilfe/loesung/dienste-im-ausland-nutzen.html

The spam email has a ZIP-Archive (MMSXXXXX.zip) attached that contains a Windows executable (.exe) infected with Andromeda (also known as Gamarue):

Filename: MMS-XXXXXXXX.JPEG.exe
Filesize: 30’724 bytes
MD5 hash: 2c1a7509b389858310ffbc72ee64d501
Virustotal: 20 / 45

Once the recipient executes the Windows executable, the Trojan installs itself into the profile of All Users:

C:\Documents and Settings\All Users\dxalrjtj.exe

Andromeda/Gamarue uses some anti-VM mechanism to make sure that it only gets executed on a physical system. As soon as the Trojan infected the victims machine, it starts to communicate with the botnet C&C using the HTTP protocol:

POST /soap.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: ophia.ru
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache

*encrypted-data*

The botnet C&C server is located at ophia.ru which is registered through a Russian based domain registrar called “NAUNET”:

domain: OPHIA.RU
nserver: ns1.menorca24.com.
nserver: ns1.nextbookz.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.12.10
paid-till: 2013.12.10
free-date: 2014.01.10
source: TCI

The domain name has several A records:

59.167.122.56 [ppp59-167-122-56.static.internode.on.net.]
101.99.23.176 [static.cmcti.vn.]
2.229.105.130 [2-229-105-130.ip196.fastwebnet.it.]
177.71.251.208 [ec2-177-71-251-208.sa-east-1.compute.amazonaws.com.]
185.12.5.106 [host-106-5-12-185.cloudsigma.com.]

Googling for the mentioned botnet C&C domain will reveal an interesting forum post on Trojaner-board.de. Obviously the criminals sent out a similar spam campaign today targeting German internet users, by abuse T-Mobile’s brand. The attackers used a different subject line and email body, but sent out the same malicious file (MD5 hash: 2c1a7509b389858310ffbc72ee64d501).

Fortunately, I’ve some good news for you: All these spam emails I’ve seen hitting my spamtraps today have been blocked by Spamhaus ZEN. So if your spamfilter is checking the sending IP address of an email against ZEN, most of these spam emails should have been blocked. Secondly, Swisscom did their homework and already published an SPF record for their domain name swisscom.ch a long time ago:

$ dig +short swisscom.ch TXT
“v=spf1 ip4:193.222.81.0/24 -all”

If your spamfilter is configured to check the SPF record of the sending domain, all these spam messages should have been rejected on your email gateway.

To mitigate this threat, you should ensure that you:

  • Check incoming emails against Spamhaus ZEN
  • Enable SPF checking on your spamfilter / email gateway
  • Block the botnet C&C domain name and the associated IP addresses (see below)
  • configure your clients to show file extensions for known file types (MMS-XXX.jpg.exe)

Associated domain names / IP addresses to block on your firewall / gateway:

130.255.190.43
59.167.122.56
101.99.23.176
2.229.105.130
177.71.251.208
185.12.5.106
advstar.com
alfila.net
arbeitdeutschland.com
arteexotica.net
bestjobcousa.com
bestjobscousa.com
careerabroadinfo.com
dacortaorlando.net
encounterkaspe.pl
establishingwi.su
eyesee-lazere.pl
fearedembracin.su
flavoured.pl
followupdebate.pl
garbagethiever.su
gellax.com
goldenpick.net
greecexpatjobs.com
hemon.pl
hotlane.net
htimemanagemen.su
jobbcanada.com
jobbinamsterdam.com
lombrisa.com
machinelikeleb.su
menorca24.com
mickmalones.com
monitoreddream.su
moteasingwold.net
neo-conned.net
netfest.pl
nextbookz.com
ophia.ru
oracleutilities.net
portugaleuropa.com
purchasingdril.su
simsapprentice.pl
sppleiconicana.su
srichkeylogger.su
technojobse.com
theirspentawar.pl
thelocalsejobs.com
three-property.net
turismingeorgia.net
unpackcenterpi.su
upkeepfilesyst.su
westors.com
youpolandjobs.com
yourcareerbuilders.com

0 Responses to “Fake Swisscom And T-Mobile Emails Hitting CH and DE”


  • No Comments

Leave a Reply




economics-recluse
Scene
Urgent!