Weird things are going on here in Switzerland. Today I’ve seen a spam campaign sent out by the Cutwail Spambot (on of the biggest spam botnets in the world), hitting Switzerland with the P2P version of ZeuS (aka P2P ZeuS aka ZeuSv3 aka Gameover ZeuS). The spam email looks like this:
Subject: Re: onjuist ingevulde NATXXXX belastingformulier
Helaas is u op de hoogte dat je hebt fouten gemaakt bij het invullen van de laatste belastingformulier applicatie (ID: XXXXX).
vindt u het advies van onze fiscalisten Op deze link
( 1 minuut Wacht tot rapport zal laden)
Wij vragen u om corrigeer de fouten en bestand de herziene aangifte aan uw lokale belastingkantoor zo snel mogelijk.
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 3352 Aarau
Tel.: +41 (0)62 362 XX XX
Fax: +41 (0)62 365 XX XX
What is weird with this spam campaign is the fact that it imitates a social department of a Swiss canton called Aargau (German), but the text in the email is written in Dutch. It might be hard to believe, but most Swiss citizens don’t speak Dutch at all…
Additionally, I’ve seen that Cutwail is sending out this spam campaign to non-CH mailboxes as well (.net, .com etc.). So it is not yet clear whether the intend of the criminals behind this malware campaign is to hit Swiss citizens or not (I don’t think that any foreign citizens knows the canton Aargau…).
The spam email contains a hyperlink to a hijacked website, for example:
For a normal visitor the page doesn’t look suspect at all, its a copy of the official web page of the canton Aargau (swiss canton). However, if you take a closer look at the html source of the advertised URL you will notice malicious Java script code which will cause that the visitors web browser will load a content from foreign URL hosted in Korea:
africanbeat.net points to 220.127.116.11
[ Network Information ]
IPv4 Address : 18.104.22.168 – 22.214.171.124 (/13)
Service Name : broadNnet
Organization Name : SK Broadband Co Ltd
Organization ID : ORG3930
Address : 267, Seoul Namdaemunno 5(o)-ga Jung-gu SK NamsanGreen Bldg.
Zip Code : 100-711
Registration Date : 20040402
The mentioned website (africanbeat.net) is likely operated by cybercriminals and hosting a exploit kit called “Blackhole”. Blackhole is able to exploit various (known) vulnerabilities in the visitors web browser (eg. Internet Explorer or Firefox) but as well as in 3rd party browser plugins like Adobe Flash, Adobe Reader and Sun Java. If the software installed on the visitors computer is not fully patched, blackhole will exploit a vulnerability and will use it to install an ebanking Trojan called P2P ZeuS.
Since P2P ZeuS is not using any centralized (botnet) infrastructure, there is no central botnet C&C domain/ip you could block on your company’s gateway. However, P2P ZeuS is using P2P functionality, communicating with other infected bots around the globe using a high TCP/UDP port. In fact you can mitigate this threat by blocking any outgoing TCP and UDP port higher than 1024 on your firewall (as a side note: you should restrict outgoing traffic on your firewall anyway).
Additionally, I recommend everyone to block the following domain names and IP address at the network edge:
- 126.96.36.199 (Blackhole Exploit Kit hosting)
- africanbeat.net (Blackhole Exploit Kit hosting)
- 188.8.131.52 (Malware DNS server)
*** Further reading ****
A follow me on Twitter: https://twitter.com/abuse_ch