Cisco Blogs

Fake German Bill Spam Campaign Spreads Malware

January 9, 2014 - 30 Comments

Update 2014-01-10: This malicious campaign has expanded to include emails that masquerade as bills from NTTCable and from VolksbankU

Update 2014-01-21: We’ve updated the chart to include the Vodafon emails and latest URL activity

English language has emerged as the language of choice for international commerce. Since people throughout the world are used to receiving English language emails, spammers have 

TRAC-tank-vertical_logoalso adopted the English language as the means of getting their message to large numbers of international recipients. However, spam messages that are written in a local language and that reference local companies can be particularly enticing for recipients to open because they do not expect malicious messages to be written in anything other than English. Cisco has observed and blocked a large number of malicious spam messages written in German language masquerading as phone billing statements. Initially the spam run masqueraded as Telekom Deutschland, with subsequent messages masquerading as messages from NTTCable  and Volksbank.

Cisco TRAC was able to locate what appears to be a single attack attempt, likely a test run, on 2013-12-16 however the majority of the attack started on 2014-01-05 and is ongoing. The malware is currently targeting users as depicted in the heap map below. The vast majority of attacks are occurring in Germany. It is reported that the end goal of this malware is to harvest credentials.

This heat-map represents the malicious URL activity we have detected and blocked:


Here is a sample message:


English translation:


All of the URLs involved in the attack follow a very specific format:

We’ve associated the following MD5 hashes for the .zip file with this campaign:


Upon visiting one of these URLs, a user is prompted to download a .zip file. The .zip file contains a trojan executable. The icon for the executable is a PDF file, which may trick some users into clicking on it. Upon execution, the malware immediately attempts to connect to the following servers:   Service Port: 80   Service Port: 80   Service Port: 80   Service Port: 80

Once connected the bot issues the following POST request to each server:


This malware can be completely avoided if users simply follow best practices and refrain from downloading and running suspicious attachments. A reputable institution will never send an executable via email; users are urged to retrieve any necessary files from company websites. As always, it is a great idea to run software that verifies the MD5 checksum before running any executable file.

Special thanks to Martin Lee for coauthoring this post as well as Andrew Tsonchev for contributing. 

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. I believe the best way to stay safe from any malware or phishing site is to never download anything that they force you to do.
    But in case you feel, the download is important then make sure to do an online virus total scan of the attachment before downloading it.
    I usually follow the same tips when it comes to online security.

  2. Some attack also reported in Poland. Hope my AV Software wont pass this through…

  3. Also, just to clear it out. There is no link in the email to an executable, is merely a link like many providers do with their real invoices.

    No I will always check where the address is going to before clicking!

    • Hi Danilo,
      Thats the danger of these kinds of attack, it is so easy to fall for them. If you think that you might have clicked on one, download and install an AV client to scan your machine. The major AV vendors will be detecting these malware.

      If you want to prevent users from clicking the links on the first place, install a multi-layered set of filters, include an anti-spam filter to keep the emails away from users’ inboxes and a web filter to block any malicious links. Take a look as Cisco ESA device for emails and Cisco CWS or WSA for web filtering.

  4. Hi everybody, I fell in this trap and clicked the link. It directed me to a blank page and a download never started, chrome then told me couldn’t load the page. I use a macbook pro. I am very ignorant of this matter and scared.

    The link it directed me to was Saw it on the list mentioned by Martin. I found this post when attempted unsuccessfully to see the “bill” for the third time. Any suggestions as to detect something dodgy?

  5. Hello,
    I’m in France and I’ve received this mail on this afternoon (20 January 2014) and in German language, it is from Telecom Deutschland and seems to be a bill too.
    Best regards.

    • Hello Charlotte,

      We’ve updated the heap map to reflect current activity. As you can see the campaign is much more widespread right now.


  6. It makes so sense to collect the DNS Names. There are already over 100 and every second, there are new ones.

    You should trigger the pattern of the link.

  7. another one I think:

  8. More URLs this time with a change of format:

  9. P.S. All Bot commands come today from Austria.

  10. Today we found a lot of the backdore Software. May some of the first versions, not crypted. Its pretty well programmed.

    But my point. We assume that this Spam-Wave are connected to the massive WordPress Botnet attack last autumn.

    Does anyone know more?

    Best regards.

  11. getting closer… 🙂

    00411B5C 47 65 74 50 72 6F 63 41 64 64 72 65 GetProcAddre
    00411B6C 73 73 00 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 ss..L.o.c.a.l.\.
    00411B7C 58 00 4D 00 51 00 25 00 30 00 38 00 58 00 00 00 X.M.Q.%.0.8.X…
    00411B8C 4C 00 6F 00 63 00 61 00 6C 00 5C 00 58 00 4D 00 L.o.c.a.l.\.X.M.
    00411B9C 42 00 25 00 30 00 38 00 58 00 00 00 25 75 2E 25 B.%.0.8.X…%u.%
    00411BAC 75 2E 25 75 2E 25 75 3A 25 75 00 00 63 72 79 70 u.%u.%u:%u..cryp
    00411BBC 74 33 32 2E 64 6C 6C 00 00 00 00 00 65 00 78 00 t32.dll…..e.x.
    00411BCC 70 00 00 00 2E 00 62 00 61 00 74 00 00 00 00 00 p…..b.a.t…..
    00411BDC 00 00 00 00 40 65 63 68 6F 20 6F 66 66 0D 0A 3A ….@echo off..:
    00411BEC 52 0D 0A 64 65 6C 20 2F 46 20 2F 51 20 2F 41 20 R..del /F /Q /A
    00411BFC 22 25 53 22 0D 0A 69 66 20 65 78 69 73 74 20 22 “%S”..if exist ”
    00411C0C 25 53 22 20 67 6F 74 6F 20 52 0D 0A 64 65 6C 20 %S” goto R..del
    00411C1C 2F 46 20 2F 51 20 2F 41 20 22 25 53 22 0D 0A 00 /F /Q /A “%S”…
    00411C2C 43 00 6F 00 6D 00 53 00 70 00 65 00 63 00 00 00 C.o.m.S.p.e.c…
    00411C3C 22 00 25 00 73 00 22 00 20 00 2F 00 63 00 20 00 “.%.s.”. ./.c. .
    00411C4C 22 00 25 00 73 00 22 00 00 00 00 00 2E 00 00 00 “.%.s.”………
    00411C5C 2E 00 2E 00 00 00 00 00 0D 0A 00 00 47 45 54 00 …………GET.

    • Hi Albert,

      I’ll unicast you to see if I can help further, that looks suspiciously like an IPS signature alert 🙂


  12. Can’t we have a universal list in which all these domains are listed and when someone clicks on a link in email, it checks in that list and then opens the page ??

    • Hi Rohan,

      What you are describing is is very similar to how some of the web security appliance (WSA) technology works. If you attempt to click on these links from behind a WSA you will get a security threat detected and blocked message from the appliance. Cloud web security has similar protection.


  13. If you´ve got spamassassin maybe the following regex will help you:
    uri [Name of the rule] /([a-z0-9-]+\.)?[a-z0-9-]+\.[a-z\.]{2,6}\/(telekom|volksbank|nttcable|vodafon)\//i

  14. any news? any sigset for it or anything?

  15. the malware started to come with different mails. The latest is pointed to here:

    malware is the same but regenerated again. the MD5 is different .

    it have the same options. browser passwd steal, cookie steal, ftp and pop3 steal..

    • We’re now seeing the following URLs and MD5s as part of the same campaign.


  16. Thank you Martin, it seems, that they register new domains every second 🙁

    The newest SPAM-URLS end with /vodafon
    (without e)

  17. Could you please publish recently identified links, because at this time, this is the best source of information on the net on this topic. Thank you in advance!

    • Max,

      The campaign seems to have dropped off recently. However, here are some further domains that we have identified.


      • I think the campaign still alive! I have mail from yesterday, but not in my own motherlanguage but german!

  18. Hello Zoltan!

    We’re tracking those as well. Thanks!


  19. Dear Sir,

    also attacked the hackers in Hungary too! They writen in emails German language in name of the Volksbank and HTTCable!

    Best regards

    Zoltan radvanyi

  20. Hi Richard,

    Thanks for reaching out. I will contact you directly.


  21. Dear Sirs,

    I represent the firm NTTCable which is one of the targets
    of the campaign described in you article.

    We are glad to hear that you are in the position to
    block the downloads.
    We appreciate your effort very much.

    At present we still get many emails related to the spam campaign.
    Larger part of the them contain the orginal
    spam email as attachment an can be evaluated.

    Are you interested in getting the copies of them
    as soon as they reach us?
    Or at least the download URLs?

    We could arrange for this if you want.

    With best regards,

    Richard Limanowski

    NTTCable Gruppe
    Telefongesellschaft der Deutschen Industrie

    Escher Str. 19
    D – 65510 IDSTEIN
    Tel.: +49 (0) 6126 – 9 98 76 – 52