Social Networks

Official Blog

SMS spam run targeting Android Users in Switzerland

MELANI / received several reports today about malicious SMS that have been sent to Swiss mobile numbers. The SMS is written in German and claims to come from the Swiss Post. But in fact, the SMS has been sent by hackers with the aim to infect Smartphones in Switzerland with a Trojan horse.

Malicious SMS
Malicious SMS pretends to come from the Swiss Post (click to enlarge)

The SMS contains a link to a website. If the user clicks on the link in the SMS, he will get redirected to a hijacked website that hosts an App that installs malware on the victims Smartphone. As the served file is an Android application package (APK), only Android users are affected by this threat.

By default, Google does not allow Apps from 3rd parties (such as 3rd party App stores or from the internet) to be installed. However, the user has the possibility of allowing the installation of 3rd party Apps by changing the Android Security settings. In most cases, users do not change theses settings, so common Android users should be safe. Yet there were some articles in some Swiss newspapers this week that showed its readers how to enable the installation of Android Apps from 3rd party (aka “unknown sources”) in order to install the new Nintendo game Pokemon GO, as the App isn't in the Swiss version of the Google Play Store yet. Even before the launch of the game in Switzerland, the App went viral and obviously many Android users in Switzerland wanted to access the game before the launch of the App in the Swiss App store. As a result of this, some Android users may followed the instructions of the Swiss news papers and have enabled the installation of Apps from 3rd parties, making themselves vulnerable to this type of attack.

Malicious Swiss Post Android App
Malicious Swiss Post Android App (click to enlarge)

The App requests permission to erase all data on the victims phone (see screenshot above). In addition, it calls out to a botnet command&control server (C&C) in order to receive further commands from the attackers. According to FireEye, the App is part of a larger cybercrime operation with the aim of stealing login credentials of popular Apps such as Uber, Viber and Facebook (phishing / Smishing).

In the last SMS spam campaign we have observed in Switzerland a few weeks ago, we noticed that the malicious App has been downloaded more than 15'000 times.

In general, we highly recommend Android users to disable the installation of 3rd party Apps from unknown sources. To ensure that the installation of 3rd party Apps is disabled, go to settings -> Security on your Android device and make sure that the option Unknown Sources is disabled:

Malicious Swiss Post Android App
Malicious Swiss Post Android App (click to enlarge)

We recommend to never change this setting, even when you are instructed by to do so (as strangers may try to convince you to do so in order to place malware on your smartphone).

Indicator of Compromise

Android APK download URL:


Android APK (malware):

Filename: sp.apk
MD5 hash: c121a1ae8a4ee564fd6bd079ad5d3373

Android malware botnet C&C:

hXXp:// Share on Twitter Share on Facebook

Dridex targeting Swiss Internet Users

In the past weeks, we have seen a rise of malicious Microsoft office documents that are being spammed out to Swiss internet users with the aim to infect them with a malicious software (malware) called Dridex.

Dridex is an ebanking Trojan which is already around for some time now. The attackers are operating various botnets with Dridex infected computers. While most of these botnets do have a strong focus on financial institutions from abroad (such as US or UK), one particular botnet is also targeting financial institutions in Switzerland.

These days, Dridex is being distributed via malicious Microsoft office files, for example Word documents (.docx). The attackers have weaponized these documents with a malicious macro. The purpose of this macro is to download additional code (in this case Dridex) from a compromised website, once the office document is being opened and the macro executed. Unless most of the spam campaigns that are hitting our spam traps these days, the spam campaigns that are distributing Dridex do not originate from a spam botnet, but rather from compromised email accounts. Therefore the attackers manage to bypass many spam filters and hence ensure that the email gets delivered to the recipient.

The Dridex spam campaign we have seen yesterday has been sent from compromised email accounts, but also from other email service providers:

Received: from ( [])
(using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN
"", Issuer "TeleSec ServerPass DE-2" (verified OK)) by
X (Y) with ESMTPS id X for ; Thu, 7 Jul 2016 X
Received: from ( [])
by (Postfix) with SMTP id X for ; Thu, 7 Jul 2016 X
Received: from [] (Z@[]) by with TLSv1:DHE-RSA-AES256-SHA encrypted) esmtp id X; Thu, 7 Jul 2016 X
Date: Thu, 7 Jul 2016 X
From: X
Subject: firstname.lastname ; Aufforderung zur Bezahlung von Rechnung #EU932451 von X

If we can trust the email header, the email has been sent through t-online by a broadband IP address in Russia ( - OJSC Rostelecom, Russia). The email subject varies:

emailaddress: Offene Rechnung ist verfügbar (# )
emailaddress, Offene Faktur ist überfällig (# 17285838)
emailaddress, Offene Warenrechnung ist überfällig (ID 09608490)
emailaddress - Aufforderung zur Begleichung von Rechnung #J007631 von XYZ
emailaddress - Aufforderung zur Begleichung von Ausgangsrechnung #EU985390 von XYZ
emailaddress : Aufforderung zur Bezahlung von Rechnung #W738296 von XYZ
emailaddress - info, Die Fälligkeit Ihrer Rechnung 1879590 für XYZ
emailaddress partner: Ihre Abrechnung ist überfällig (# 15238847)

The spam email look like this, but may vary:

Dridex spam sample
Dridex spam sample (click to enlarge)

The attachment name varies and depends on the name of the recipient. Once the malicious office document is opened and the macros executed, Dridex payload will be downloaded from a compromised website.

To prevent becoming a victim of Dridex or other malware that is being distributed via malicious office documents, we recommend the following actions:

For private users:

For companies:

Indicator of Compromise (IOCs)

Dridex payload delivery URLs (fetched by the malicious documents that are being spammed out):

Dridex payload (malware samples):

winword.dat (MD5 2eaf243bad4b1c22089e7654524f0e5a)
office.bin (MD5 66e9ff85c9361127cd4b873d48008c9b)

Initial Dridex botnet C&C nodes (compromised servers):

Additional Dridex botnet C&C nodes (compromised servers) - via Dridex configuration file:

Dridex redirect / webinject server (compromised server):
Share on Twitter Share on Facebook

Technical Report about the RUAG espionage case

After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in sharing information as one of the most powerful countermeasures against such threats; this is the main reason we publish this report not only within our constituency, but to the public as well.

The attackers have been using malware from the Turla family, which has been around for several years. This malware family is still under active development and used in the wild. We provide an analysis, as well as relevant IOCs to detect this threat, and try to give an insight on how the attackers infiltrate a network, move laterally, and exfiltrate data. It is interesting to see the clever design of their fingerprinting to exclude any victim not on the target list. Another impressive observation is the patience shown during the lateral movement. However, it is important to emphasize that attackers also make mistakes and have their weaknesses, so there is always an opportunity for the defenders to detect them.

Links to the report

Technical Report about the Malware used in the Cyberespionage against RUAG

Technischer Bericht zur eingesetzten Schadsoftware beim Cyberangriff auf die RUAG

Rapport technique sur le maliciel utilisé lors de la cyber-attaque contre RUAG

Rapporto tecnico sul software nocivo utilizzato nell’attacco cyber contro la RUAG

Share on Twitter Share on Facebook

Show older posts (blog index)