Sponsored by..

Tuesday, 21 January 2014

Something evil on and

This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I do have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank.

URLquery shows one such download in this example, the victim has been directed to [donotclick]gf-58.ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48.

The malware is downloaded from a server at (Voxility, Romania). Sample URLs on this server (according to URLquery and VirusTotal) are:


The Anubis report and ThreatExpert report [pdf] show that the malware calls home to dshfyyst.ru on (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below).

All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.

Recommended blocklist:

Update: this appears to be Cridex aka Feodo, read more.

1 comment:

BMD said...

This virus came as a pdf:

Sehr geehrte Kundin,
sehr geehrter Kunde

Im Anhang finden Sie die gewünschten Dokumente und Daten zu Ihrer Telekom Mobilfunk RechnungOnline für Geschäftskunden vom Monat Januar,

Rechnung als PDF, 90146455_0000000000_L_85492661_L_14_8151.pdf

Mit freundlichen Grüßen,

Telekom Deutschland GmbH
Aufsichtsrat: Timotheus Höttges Vorsitzender
Geschäftsführung: Niek Jan van Damme Sprecher, Thomas Dannenfeldt, Thomas Freude, Michael Hagspihl, Dr. Bruno Jacobfeuerborn, Dietmar Welslau, Dr. Dirk Wössner
Eintrag: Amtsgericht Bonn, HRB 59 19, Sitz der Gesellschaft Bonn
USt-Id.Nr.: DE 840905475461
WEEE-Reg.-Nr.: 732452846905

This email was Virus checked by McAfee. Mail wurde auf Viren geprüft.