This morning I’ve spotted two spam campaigns hitting German and Swiss internet users, by abusing the name and reputation of two well known players in the telephone sector: Swisscom (CH) and T-Mobile (DE).
Below is a spam sample that has been sent out by the Cutwail spam botnet this morning hitting Swiss internet users:
Description: Swiss Telecom
Wenn der Adressat ein MMS nicht empfangen kann (weil er kein MMS-fähiges Handy hat oder wenn mit seinem Netzanbieter keine MMS ausgetauscht werden können) erhält er ein SMS mit einer MMS-ID. Auf der Website von Swisscom kann er das MMS mit dieser MMS-ID abrufen.
It’s an HTML email that embeds the Swisscom-Logo:
The email is written in German and says that if the recipient gets an MMS and his mobile phone isn’t able to display MMS or his network provider doesn’t support it, he will get an SMS with an MMS-ID. The receipient can enter this MMS-ID on the Swisscom website to view the MMS he just has received. If you Google that text you will notice that the criminals just copied that text from Swisscom’s official website:
The spam email has a ZIP-Archive (MMSXXXXX.zip) attached that contains a Windows executable (.exe) infected with Andromeda (also known as Gamarue):
Filesize: 30’724 bytes
MD5 hash: 2c1a7509b389858310ffbc72ee64d501
Virustotal: 20 / 45
Once the recipient executes the Windows executable, the Trojan installs itself into the profile of All Users:
Andromeda/Gamarue uses some anti-VM mechanism to make sure that it only gets executed on a physical system. As soon as the Trojan infected the victims machine, it starts to communicate with the botnet C&C using the HTTP protocol:
The botnet C&C server is located at ophia.ru which is registered through a Russian based domain registrar called “NAUNET”:
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
The domain name has several A records:
Googling for the mentioned botnet C&C domain will reveal an interesting forum post on Trojaner-board.de. Obviously the criminals sent out a similar spam campaign today targeting German internet users, by abuse T-Mobile’s brand. The attackers used a different subject line and email body, but sent out the same malicious file (MD5 hash: 2c1a7509b389858310ffbc72ee64d501).
Fortunately, I’ve some good news for you: All these spam emails I’ve seen hitting my spamtraps today have been blocked by Spamhaus ZEN. So if your spamfilter is checking the sending IP address of an email against ZEN, most of these spam emails should have been blocked. Secondly, Swisscom did their homework and already published an SPF record for their domain name swisscom.ch a long time ago:
“v=spf1 ip4:184.108.40.206/24 -all”
If your spamfilter is configured to check the SPF record of the sending domain, all these spam messages should have been rejected on your email gateway.
To mitigate this threat, you should ensure that you:
- Check incoming emails against Spamhaus ZEN
- Enable SPF checking on your spamfilter / email gateway
- Block the botnet C&C domain name and the associated IP addresses (see below)
- configure your clients to show file extensions for known file types (MMS-XXX.jpg.exe)
Associated domain names / IP addresses to block on your firewall / gateway: