Sponsored by..

Wednesday 6 November 2013

"Voice Message from Unknown" spam / VoiceMail.zip

This fake voice mail spam comes with a malicious attachment:

Date:      Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From:      Administrator [voice9@victimdomain]
Subject:      Voice Message from Unknown (886-966-4698)

- - -Original Message- - -

From: 886-966-4698

Sent: Wed, 6 Nov 2013 22:22:28 +0800

To: recipients@victimdomain

Subject:  Private Message 
The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file.

This malware file has a detection rate of 3/47 at VirusTotal. Automated analysis tools [1] [2] show an attempted connection to twitterbacklinks.com  on 216.151.138.243 (Xeex, US) which is a web host that has been seen before in this type of attack.

Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28 which contains the following domains:
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com

Those domains are consistent with the ones compromised here and it it likely that they have all also been compromised.

Recommended blocklist:
69.26.171.176/28
216.151.138.240/28
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

1 comment:

Idham Khaleed said...

Thanks for sharing the post,I have found the same SPAM e-mails are successfully bypassing our SPAM filter, and lot of users received those spam e-mails, should I apply the recommended block list, can you please suggest more with the imapct if I block list following the recommendation.