From: Vodafone D2 [2942-MU31406aBM0@kundenservice.vodafone.de] [pm2053em1]
Date: 13 November 2014 09:13
Subject: Ihre Festnetz-Rechnung für November 2014
Ihre Kundennummer: 883286157
Sehr geehrte Damen und Herren,
anbei erhalten Sie Ihre Rechnung vom 13.11.2014.
13.11.2014_09:11:07_Rechnung_Kundennr_861570000883286157.pdf
Der Rechnungsbetrag in Höhe von 357,26 EUR wird am 23.11.2014 von Ihrem Konto abgebucht.
Ihre Rechnung ist im PDF-Format erstellt worden. Um sich Ihre Rechnung anschauen zu können, klicken Sie auf den Anhang und es öffnet sich automatisch der Acrobat Reader.
Freundliche Grüße
Ihr Vodafone Team
In this case, the link in the email goes to studiarte.com/gFlEyLcSo where it downloads a file 2014_11vodafone_onlinerechnung.zip which contains a malicious binary 2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
This file has a very low detection rate at VirusTotal of 1/53. Most automated analysis tools [1] [2] [3] don't say much, however the ThreatTrack report [pdf] is more details and apparently shows the malware phoning home to:
46.183.219.78 (DataClub, Latvia)
178.210.167.213 (Markum Bilisim Teknolojileri, Turkey)
Additionally, the following IPs and active domains are queried:
64.27.101.155 (Ken Thomas, US)
109.74.3.6 (GleSYS Internet Services, Sweden)
144.76.59.84 (Hetzner, Germany)
177.73.233.170 (WDI Solucoes Ltda, Brazil)
212.19.62.76 (ANW GmbH, Germany)
5.199.167.197 (Balticservers, Lithunia)
86.124.164.25 (RCS & RDS Business, Romania)
66.172.27.44 (Cyberverse, US)
141.255.165.152 (Privatelayer, Switzerland)
141.255.165.155 (Privatelayer, Switzerland)
173.193.106.11 (Softlayer, US)
qgajlouuhqbikgbd.eu
qrbroaiyynlqluld.eu
tadhvhvdhgtaxnpd.eu
bcqikqgkbiwccmpj.eu
ciomywfqliwtvjft.eu
vgekmcvfuiwrepmm.eu
xqnaiuvgctjdtnmj.eu
eaelgqsjqukhenaq.eu
tejohjlxraqmamnx.eu
Some of these DGA domains have been sinkholed, I have removed obvious ones but not that some of these IP addresses may not actually be malicious. However, if you are a network administrator there is no harm in blocking or monitoring sinkholes from your network, so I would recommend the following blocklist:
46.183.219.78
178.210.167.213
109.74.3.6
177.73.233.170
5.199.167.197
86.124.164.25
66.172.27.44
141.255.165.152
141.255.165.155
173.193.106.11
UPDATE 2014-11-20:
I previously recommended blocking the following IPs which it turns out are legitimate, possible added by the malware authors to create false positives. If you have blocked them then I recommend unblocking them.
64.27.101.155
144.76.59.84
212.19.62.76