Swiss users are being heavily targeted by a number of spam campaigns delivering the Tiny Banker (TinBa or Busy) e-banking Trojan.
Starting with Tuesday, the spammy emails seem to come from email addresses opened with big Swiss free email service providers (bluewin.ch, gmx.ch) and Swiss telecom provider Orange (orange.ch), but actually originate from broadband lines located all over the world.
They masquerade as emails containing images sent from iPhones, an MMS sent to the user by Orange, and an application for a job position:
Unfortunately for those who fall for these tricks, the attached ZIP files contain only malware.
“While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains,” noted Swiss security activist Raymond Hussy.
Further investigation revealed that all the sending IP addresses are Cutwail infected IPs, and the malware tries to contact four distinct C&C servers, two of which have already been sinkholed.
Hussy recommends to network administrators to block traffic to and from the remaining two active domains (serfanteg.ru, midnightadvantage.ru) and the following IPs: 22.214.171.124 and 126.96.36.199.
“In general, 188.8.131.52/24 looks quite suspect. So you may want to block the whole netblock,” he pointed out, adding that it would also be a good idea to block filenames with multiple file extentions on their email gateway.