Sponsored by..

Thursday 13 November 2014

Vodafone D2 "Ihre Festnetz-Rechnung für November 2014" spam

This fake Vodafone spam seems to be widely distributed, even though it is obviously targeted at German speakers.

From:     Vodafone D2 [2942-MU31406aBM0@kundenservice.vodafone.de] [pm2053em1]
Date:     13 November 2014 09:13
Subject:     Ihre Festnetz-Rechnung für November 2014

Ihre Kundennummer: 883286157

Sehr geehrte Damen und Herren,

anbei erhalten Sie Ihre Rechnung vom 13.11.2014.


Der Rechnungsbetrag in Höhe von 357,26 EUR wird am 23.11.2014 von Ihrem Konto abgebucht.

Ihre Rechnung ist im PDF-Format erstellt worden. Um sich Ihre Rechnung anschauen zu können, klicken Sie auf den Anhang und es öffnet sich automatisch der Acrobat Reader.

Freundliche Grüße
Ihr Vodafone Team

In this case, the link in the email goes to studiarte.com/gFlEyLcSo where it downloads a file 2014_11vodafone_onlinerechnung.zip which contains a malicious binary 2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

This file has a very low detection rate at VirusTotal of 1/53. Most automated analysis tools [1] [2] [3]  don't say much, however the ThreatTrack report [pdf] is more details and apparently shows the malware phoning home to: (DataClub, Latvia) (Markum Bilisim Teknolojileri, Turkey)

Additionally, the following IPs and active domains are queried: (Ken Thomas, US) (GleSYS Internet Services, Sweden) (Hetzner, Germany) (WDI Solucoes Ltda, Brazil) (ANW GmbH, Germany) (Balticservers, Lithunia) (RCS & RDS Business, Romania) (Cyberverse, US) (Privatelayer, Switzerland) (Privatelayer, Switzerland) (Softlayer, US)


Some of these DGA domains have been sinkholed, I have removed obvious ones but not that some of these IP addresses may not actually be malicious. However, if you are a network administrator there is no harm in blocking or monitoring sinkholes from your network, so I would recommend the following blocklist:

UPDATE 2014-11-20
I previously recommended blocking the following IPs which it turns out are legitimate, possible added by the malware authors to create false positives. If you have blocked them then I recommend unblocking them.

1 comment:

Unknown said...

Based on the few samples I've seen, if you have your http methods and URI paths parsed out in Splunk, these searches might be of some help to people looking for this particular traffic.

Shows that the file may have been downloaded:

method="GET" path="*rechnung*" | regex path="^/[a-zA-Z0-9]{8,10}/"

Shows infected machines calling out:

method="POST" | regex path="^/[a-f0-9]{8}/[a-f0-9]{8}/$"