Internauts in Switzerland Flooded with Malware-Laced Bulk E-mails

According to security researchers, Swiss Internauts have been found under massive attacks by several bulk e-mail campaigns installing the e-banking Trojan Busy or Tinba (Tiny Banker), reported Help Net Security in news on January 29, 2015.

It maybe noted that Tinba is a malicious program created for filching financial information such as credit card particulars and banking details while it also pulls every contaminated PC into a botnet.

Beginning on 27th January 2015, which was a Tuesday, the spam mails appear as arriving from e-mail accounts set up with prominent Swiss providers of non-chargeable e-mail service such as gmx.ch and bluewin.ch as well as Switzerland's Orange telecommunication company - orange.ch; however, really arrive through broadband connections based across the entire globe.

These (spam mails) pretend to be messages having pictures dispatched from iPhones, a job application, or an MMS that Orange dispatched to end-user.

Unfortunately, if anyone believes the trick and proceeds to follow the instructions, he will get a zipped file attachment which would carry nothing but malware.

As per Raymond Hussy Security Activist from Switzerland, whilst the majority of Tinba samples he normally encounters use DGA (Domain Generation Algorithm) for computing the CnC domain of the latest botnet, the Tinba sample which is currently proliferating in Switzerland utilizes hard-coded CnC domains of botnets. Help Net Security reported this.

Additional examination conducted disclosed that each and every IP address that send the spam has been infected with the Cutwail bot, while the malware attempts at establishing communication with 4 separate CnC servers from which security researchers have sink-holed two.

End-users require inactivating the domains namely midnightadvantage.ru and serfantegu.ru along with the IP addresses 91.220.131.61 and 91.220.131.216 at the end of their networks. Normally, another suspicious IP is 91.220.131.0/24. Consequently, end-users may think about inactivating the entire network. Besides, another good advice is that of inactivating filenames having more than one file extension like docx.zip or docx.exe at users' very e-mail gateway.

In the meantime, similar as with Switzerland, another country Australia was recently hit with one fresh version of Carberp Trojan in what too was a malware-laden spam outbreak.

» SPAMfighter News - 2/6/2015