Tag Archives: hotel.de

Fake hotel.de Booking Emails Hitting CH and DE

Around 09:00 UTC, the cutwail spam botnet started to send out a new spam campaign targeting Swiss and German internet users. This spam campaign seems to be linked to the fake Swisscom and T-Mobile emails we have seen recently.

This time, the criminals send out fake hotel.de booking emails that looks like this:

From: “hotel.de” Reserv@hotel.de
To: spamtrap
Subject: Hotel.de Reservierung [98588048], Mon, 18 Mar 2013 17:23:24 +0800


Buchungsnummer: SN2699862
Buchungsdatum: Mon, 18 Mar 2013 17:23:24 +0800
Mehr Details in der beigefugten Datei

Anreise: 23.03.2013 Anzahl Nächte: 1
Abreise: 24.03.2013 Gesamtanzahl Personen: 1
Preis: 73,89 EUR
Der Gesamtpreis beinhaltet 3,93 EUR Steuern und Abgaben.

Hinweis: Diese Buchung ist per Bankkarte gesichert.
Mit freundlichen grüßen
Ihr hotel.de/hotel.info-Team
hotel.de AG – www.hotel.de – www.hotel.info

The email contains an attachment called HotelReservierung8266035.pdf.zip that contains an Windows executable:

Filename: HotelReservierung8300754911.PDF.exe
Filesize: 124’287 bytes
MD5 hash: 9b81080a24495269caf15637fe3908c1
VirSCAN.org: 2 / 37

The file contains the same dropped that we have already seen in the recent Swisscom / T-Mobile spam mails, called Andromeda (also known as Gamarue). Once the file gets executed, the Trojan installs itself on the system and tries to connect to the following botnet command&control server (C&C):

POST /wp-rss2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: kitro.pl
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache


The domain name kitro.pl is registered through a in Poland based domain registrar called “Domain Silver Inc”:

DOMAIN NAME: kitro.pl
registrant type: individual
nameservers: ns1.nextbookz.com.
created: 2012.12.10 15:11:20
last modified: 2013.03.14 07:15:00
renewal date: 2013.12.10 15:11:20

no option

dnssec: Unsigned
TECHNICAL CONTACT: data restricted

Domain Silver Inc.
1st Floor, Sham-Peng-Tong
Plaza Building, Victoria, Mahe
e-mail: support@domainsilver.pl
tel.: +1.3236524343

Based on the geo location of the victim, the Trojan drops additional malware like Torpig/Mebroot, Citadel or Feodo/Cridex.

Since the domain name hotel.de published an SPF record and the sending IP addresses are already listed on Spamhaus ZEN, the impact caused by this threat should be limited (unless you use a poorly configured spam filter).

As usual, I recommend you to block the following domain names and IP addresses which are associated with this threat on your network edge / web gateway: