A spam campaign Symantec observed in January 2017 targeting people who live in Germany appears to be, once again, using detailed, real personal information to enhance the believability of the messages. Victims who open the message attachments are likely to have their Windows computers infected with malware that steals banking information.
First seen in the UK
Symantec is aware of only one other campaign in the recent past that used this same modus operandi. In April 2016, thousands of people across the United Kingdom received similar spam messages indicating that a large bill had not been paid and would be sent to a collections agency. While the business name and the messages varied slightly, they all included detailed personal information about the victim, both in the message body and in the malicious file that was delivered through a link.
The spam samples we’ve seen targeting users in Germany employ a similar social engineering trope to those sent to victims in the UK. The messages, written in German, allege that the spam recipient has attempted to pay for something online and that the payment failed. The message continues by threatening to send the matter to a collection agency or law enforcement if the payment is not received within a short period of time.
While there was significant variation between the contents of the German messages, they shared some phrases which were repeated verbatim. For example, the phrase, “Sämtliche damit verbundenen Kosten werden Sie tragen” (“All costs will be borne by you”) appears in both messages. In the earlier campaign targeting users in the UK, we saw a similar reuse of certain grammatically awkward phrases, such as, “your invoice is now considered as overdue.”
The key detail of each message was the fact that the recipient’s full name, mailing address, and telephone number were embedded in the middle of the message.
One difference between the two spam campaigns is that the payload was attached to the message sent to the German recipients, while the UK campaign’s messages contained a link to one of several compromised websites hosting the malware payload. When victims of the UK campaign clicked the link to download the malware, they were also prompted to enter a CAPTCHA code into a web form before the site would download the malware.
The attached malware in the German campaign was also a bit odd because it was enclosed within a .zip archive which itself was enclosed in another .zip archive. All layers of the email attachment used the same date stamp and the full name of the recipient as the file name. The payload used an archaic .com file suffix reminiscent of the days of MS-DOS, but the file was clearly a modern malware executable that had been scrubbed of much of the identifying information that might point to its origins. The sample also employed sophisticated sandbox evasion techniques so it wouldn’t run on a virtual machine.
In the earlier UK campaign, the attackers delivered a version of the Maktub ransomware to victims. The malware samples we received in connection with this campaign belong to a family detected by Symantec as Trojan.Nymaim.B, which is designed to covertly steal banking and other credentials when the victim logs in.
The malware spawns a Windows system file so it can inject its code into that system file. It then uses HTTP POST connections from the injected program to exfiltrate any stolen data to its command and control (C&C) server. We observed the malware upload information to its C&C server 18 times over the time period it was active. The POST data contained what appeared to be Base64-encoded information.
The samples we examined all used the same C&C domain: afegesinge.com. The domain is interesting in that it was registered two days before the first emails appeared in inboxes at the beginning of January, and had its DNS records pointing to at least 11 different IP addresses which seem to be part of the attackers' infrastructure (and appear to be located in countries as unusually diverse as the US, UK, Germany, Finland, United Arab Emirates, Ukraine, and Russia). We found an additional 13 malware executables that, at one point, communicated with this domain.
The IP address used to host the C&C domain has also been used to launch attacks in the recent past. Other domains hosted on this address, which appears to be located in Ukraine, have been previously identified as malware C&C domains. Unexpectedly, on this Ukrainian network, we discovered another domain hosted that has a fishy (and phishy) sounding German-language domain name, sicherheit-oesterreich-sperrung.com, which roughly translates to "security Austria block".
While this wolf in very convincing sheep's clothing may have been a rare event, the seemingly constant stream of breaches and disclosure of personal data from public websites indicate that these kinds of attacks may become more common in the future. No matter how convincing an email seems to be, it always pays to double check these kinds of claims by calling the company purportedly making the claim to confirm the message’s authenticity (or to prove that it is false).
Symantec recommends users follow these best practices to help stay protected from malicious spam and malware threats:
- Do not automatically open any kind of email attachment whether the source is trusted or not, without first confirming that the sender actually intended to send you the attachment. Even so-called safe, non-executable file formats, such as Office documents, are routinely used by criminals to infect computers with malware. When in doubt, don’t open the attachment.
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
- Always keep your security software up to date to help protect yourself against any new variants of malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Use email-filtering services such as Symantec Email Security.cloud which can help block emails associated with these attacks before they can reach users.
- Symantec Messaging Gateway’s Disarm technology can also help protect computers from many email-borne attacks by removing the malicious content from the attached documents before they even reach the user.
Symantec and Norton products help protect against the threat used in this campaign with the following detection: