Avatar

Update 2014-01-10: This malicious campaign has expanded to include emails that masquerade as bills from NTTCable and from VolksbankU

Update 2014-01-21: We’ve updated the chart to include the Vodafon emails and latest URL activity

English language has emerged as the language of choice for international commerce. Since people throughout the world are used to receiving English language emails, spammers have 

TRAC-tank-vertical_logoalso adopted the English language as the means of getting their message to large numbers of international recipients. However, spam messages that are written in a local language and that reference local companies can be particularly enticing for recipients to open because they do not expect malicious messages to be written in anything other than English. Cisco has observed and blocked a large number of malicious spam messages written in German language masquerading as phone billing statements. Initially the spam run masqueraded as Telekom Deutschland, with subsequent messages masquerading as messages from NTTCable  and Volksbank.

Cisco TRAC was able to locate what appears to be a single attack attempt, likely a test run, on 2013-12-16 however the majority of the attack started on 2014-01-05 and is ongoing. The malware is currently targeting users as depicted in the heap map below. The vast majority of attacks are occurring in Germany. It is reported that the end goal of this malware is to harvest credentials.

This heat-map represents the malicious URL activity we have detected and blocked:

newnewchart_large_cropped

Here is a sample message:

telekom_spam

English translation:

english_5

All of the URLs involved in the attack follow a very specific format:

0abh26.hmlled.com/telekom/
0zc57s.moni-llc.com/telekom/
54kbpg.pelcastre.net/telekom/
6erdkf.dhc.com.ar/telekom/
6gfu71.xemtatca.com/telekom/
704yyi.garroba.com.ar/telekom/
7db4bb.taihinh.net/telekom/
7ipaeb.toastycomputers.com/telekom/
88a9fo.toolv.com/telekom/
bjr3at.arquidata.com.ar/telekom/
cahyx8.whodatninga.com/telekom/
da48it.xsenergy.ro/telekom/
dezrrn.photospace.biz/telekom/
e4uvqd.u-mine.cl/telekom/
eexlhh.ultimatepropertyevent.com/telekom/
f54z6k.incel.cl/telekom/
gchufm.drippingrockhoney.com/telekom/
gip053.csdue.it/telekom/
i30szj.koson-sf.ro/telekom/
jbvxdr.academyoftruesuccess.com/telekom/
jogyg5.15pifa.com/telekom/
k0dfbi.laughland.me/telekom/
k9kuk5.mikecramer.com/telekom/
mpkq1q.peliculeroweb.com.ar/telekom/
rjq5s1.balserv.ru/telekom/
sd1daa.aidangent.net/telekom/
sel8gi.24fit.tw/telekom/
sifrdz.firstfretmusic.com/telekom/
sm9eh1.theromantichearts.com/telekom/
tk1ud9.basler.com.ar/telekom/
tpf9qt.deadstockrock.com/telekom/
uquh4l.headsup.hk/telekom/
yz6sj0.windsormetalbattery.com/telekom/
ze1mtq.kcfullservice2.com/telekom/
zyctcf.viptt44.com/telekom/

16m0uu.oxip.me/NTTCable/
8pyhku.onesidedbox.com/NTTCable/
8ylz9l.ukmigrationlawyers.com/NTTCable/
alkogs.afrocenter.com/NTTCable/
bmv95b.taliaretelny.com/NTTCable/
dcx80n.worldofiniquity.com/NTTCable/
dl1ntk.kourkouta.com/NTTCable/
f5mg9k.krobath-brunner.ch/NTTCable/
ig27jj.idu.la/NTTCable/
jkcpmr.zabice.si/NTTCable/
jqq1ua.ceatlantida.com.br/NTTCable/
odx1rc.johnrappold.com/NTTCable/
upddezember.com/NTTCable/
xujrle.lapappy.ro/NTTCable/
16m0uu.oxip.me/NTTCable/

eicf1j.uwgraduation.net/volksbank/
newfirefox.ru/volksbank/
oz8pg5.stardustcommercialservices.com/volksbank/
v32gfe.saraplusjustin.com/volksbank/

We’ve associated the following MD5 hashes for the .zip file with this campaign:

40f85f501d17dd580850b47bc6de9da6
6945cb0e6cc05949b6fbf0fd5ff3c675
6a1483e974d6efd590a227c9986bc7c8
a5760773e39ed647d1d0dd4e160f80fa
b024e181571132117c2aa6084fef8fde
b745e834bf74ff0c5d2b6188d8062279
ff84658263ba9149458514c20f7de8de

Upon visiting one of these URLs, a user is prompted to download a .zip file. The .zip file contains a trojan executable. The icon for the executable is a PDF file, which may trick some users into clicking on it. Upon execution, the malware immediately attempts to connect to the following servers:

 

beliyvolkalak.ru   Service Port: 80
buriymishka.ru   Service Port: 80
deepandtouch.ru   Service Port: 80
djubkafriend.ru   Service Port: 80

Once connected the bot issues the following POST request to each server:

post_2

This malware can be completely avoided if users simply follow best practices and refrain from downloading and running suspicious attachments. A reputable institution will never send an executable via email; users are urged to retrieve any necessary files from company websites. As always, it is a great idea to run software that verifies the MD5 checksum before running any executable file.

Special thanks to Martin Lee for coauthoring this post as well as Andrew Tsonchev for contributing. 



Authors

Craig Williams

Director

Talos Outreach