Update 2014-01-10: This malicious campaign has expanded to include emails that masquerade as bills from NTTCable and from VolksbankU

Update 2014-01-21: We've updated the chart to include the Vodafonemails and latest URL activity

English language has emerged as the language of choice for international commerce. Since people throughout the world are used to receiving English language emails, spammers have 

also adopted the English language as the means of getting their message to large numbers of international recipients. However, spam messages that are written in a local language and that reference local companies can be particularly enticing for recipients to open because they do not expect malicious messages to be written in anything other than English. Cisco has observed and blocked a large number of malicious spam messages written in German language masquerading as phone billing statements. Initially the spam run masqueraded as Telekom Deutschland, with subsequent messages masquerading as messages from NTTCable  and Volksbank.

Cisco TRAC was able to locate what appears to be a single attack attempt, likely a test run, on 2013-12-16 however the majority of the attack started on 2014-01-05 and is ongoing. The malware is currently targeting users as depicted in the heap map below. The vast majority of attacks are occurring in Germany. It is reported that the end goal of this malware is to harvest credentials.

This heat-map represents the malicious URL activity we have detected and blocked:

Here is a sample message:

English translation:

All of the URLs involved in the attack follow a very specific format:

0abh26.hmlled.com/telekom/
0zc57s.moni-llc.com/telekom/
54kbpg.pelcastre.net/telekom/
6erdkf.dhc.com.ar/telekom/
6gfu71.xemtatca.com/telekom/
704yyi.garroba.com.ar/telekom/
7db4bb.taihinh.net/telekom/
7ipaeb.toastycomputers.com/telekom/
88a9fo.toolv.com/telekom/
bjr3at.arquidata.com.ar/telekom/
cahyx8.whodatninga.com/telekom/
da48it.xsenergy.ro/telekom/
dezrrn.photospace.biz/telekom/
e4uvqd.u-mine.cl/telekom/
eexlhh.ultimatepropertyevent.com/telekom/
f54z6k.incel.cl/telekom/
gchufm.drippingrockhoney.com/telekom/
gip053.csdue.it/telekom/
i30szj.koson-sf.ro/telekom/
jbvxdr.academyoftruesuccess.com/telekom/
jogyg5.15pifa.com/telekom/
k0dfbi.laughland.me/telekom/
k9kuk5.mikecramer.com/telekom/
mpkq1q.peliculeroweb.com.ar/telekom/
rjq5s1.balserv.ru/telekom/
sd1daa.aidangent.net/telekom/
sel8gi.24fit.tw/telekom/
sifrdz.firstfretmusic.com/telekom/
sm9eh1.theromantichearts.com/telekom/
tk1ud9.basler.com.ar/telekom/
tpf9qt.deadstockrock.com/telekom/
uquh4l.headsup.hk/telekom/
yz6sj0.windsormetalbattery.com/telekom/
ze1mtq.kcfullservice2.com/telekom/
zyctcf.viptt44.com/telekom/

16m0uu.oxip.me/NTTCable/
8pyhku.onesidedbox.com/NTTCable/
8ylz9l.ukmigrationlawyers.com/NTTCable/
alkogs.afrocenter.com/NTTCable/
bmv95b.taliaretelny.com/NTTCable/
dcx80n.worldofiniquity.com/NTTCable/
dl1ntk.kourkouta.com/NTTCable/
f5mg9k.krobath-brunner.ch/NTTCable/
ig27jj.idu.la/NTTCable/
jkcpmr.zabice.si/NTTCable/
jqq1ua.ceatlantida.com.br/NTTCable/
odx1rc.johnrappold.com/NTTCable/
upddezember.com/NTTCable/
xujrle.lapappy.ro/NTTCable/
16m0uu.oxip.me/NTTCable/

eicf1j.uwgraduation.net/volksbank/
newfirefox.ru/volksbank/
oz8pg5.stardustcommercialservices.com/volksbank/
v32gfe.saraplusjustin.com/volksbank/

We've associated the following MD5 hashes for the .zipfile with this campaign:

40f85f501d17dd580850b47bc6de9da66945cb0e6cc05949b6fbf0fd5ff3c6756a1483e974d6efd590a227c9986bc7c8a5760773e39ed647d1d0dd4e160f80fab024e181571132117c2aa6084fef8fdeb745e834bf74ff0c5d2b6188d8062279ff84658263ba9149458514c20f7de8de

Upon visiting one of these URLs, a user is prompted to download a .zip file. The .zip file contains a trojan executable. The icon for the executable is a PDF file, which may trick some users into clicking on it. Upon execution, the malware immediately attempts to connect to the following servers:

beliyvolkalak.ru   Service Port: 80
buriymishka.ru   Service Port: 80
deepandtouch.ru   Service Port: 80
djubkafriend.ru   Service Port: 80

Once connected the bot issues the following POST request to each server:

This malware can be completely avoided if users simply follow best practices and refrain from downloading and running suspicious attachments. A reputable institution will never send an executable via email; users are urged to retrieve any necessary files from company websites. As always, it is a great idea to run software that verifies the MD5 checksum before running any executable file.

Special thanks to Martin Lee for coauthoring this post as well as Andrew Tsonchev for contributing.