Official GovCERT.ch Blog
MELANI / GovCERT.ch received several reports today about malicious SMS that have been sent to Swiss mobile numbers. The SMS is written in German and claims to come from the Swiss Post. But in fact, the SMS has been sent by hackers with the aim to infect Smartphones in Switzerland with a Trojan horse.
Malicious SMS pretends to come from the Swiss Post (click to enlarge)
The SMS contains a link to a website. If the user clicks on the link in the SMS, he will get redirected to a hijacked website that hosts an App that installs malware on the victims Smartphone. As the served file is an Android application package (APK), only Android users are affected by this threat.
By default, Google does not allow Apps from 3rd parties (such as 3rd party App stores or from the internet) to be installed. However, the user has the possibility of allowing the installation of 3rd party Apps by changing the Android Security settings. In most cases, users do not change theses settings, so common Android users should be safe. Yet there were some articles in some Swiss newspapers this week that showed its readers how to enable the installation of Android Apps from 3rd party (aka “unknown sources”) in order to install the new Nintendo game Pokemon GO, as the App isn't in the Swiss version of the Google Play Store yet. Even before the launch of the game in Switzerland, the App went viral and obviously many Android users in Switzerland wanted to access the game before the launch of the App in the Swiss App store. As a result of this, some Android users may followed the instructions of the Swiss news papers and have enabled the installation of Apps from 3rd parties, making themselves vulnerable to this type of attack.
Malicious Swiss Post Android App (click to enlarge)
The App requests permission to erase all data on the victims phone (see screenshot above). In addition, it calls out to a botnet command&control server (C&C) in order to receive further commands from the attackers. According to FireEye, the App is part of a larger cybercrime operation with the aim of stealing login credentials of popular Apps such as Uber, Viber and Facebook (phishing / Smishing).
In the last SMS spam campaign we have observed in Switzerland a few weeks ago, we noticed that the malicious App has been downloaded more than 15'000 times.
In general, we highly recommend Android users to disable the installation of 3rd party Apps from unknown sources. To ensure that the installation of 3rd party Apps is disabled, go to settings -> Security on your Android device and make sure that the option
Malicious Swiss Post Android App (click to enlarge)
We recommend to never change this setting, even when you are instructed by to do so (as strangers may try to convince you to do so in order to place malware on your smartphone).
Indicator of Compromise
Android APK download URL:
Android APK (malware):
MD5 hash: c121a1ae8a4ee564fd6bd079ad5d3373
Android malware botnet C&C:
In the past weeks, we have seen a rise of malicious Microsoft office documents that are being spammed out to Swiss internet users with the aim to infect them with a malicious software (malware) called Dridex.
Dridex is an ebanking Trojan which is already around for some time now. The attackers are operating various botnets with Dridex infected computers. While most of these botnets do have a strong focus on financial institutions from abroad (such as US or UK), one particular botnet is also targeting financial institutions in Switzerland.
These days, Dridex is being distributed via malicious Microsoft office files, for example Word documents (.docx). The attackers have weaponized these documents with a malicious macro. The purpose of this macro is to download additional code (in this case Dridex) from a compromised website, once the office document is being opened and the macro executed. Unless most of the spam campaigns that are hitting our spam traps these days, the spam campaigns that are distributing Dridex do not originate from a spam botnet, but rather from compromised email accounts. Therefore the attackers manage to bypass many spam filters and hence ensure that the email gets delivered to the recipient.
The Dridex spam campaign we have seen yesterday has been sent from compromised t-online.de email accounts, but also from other email service providers:
Received: from mailout09.t-online.de (mailout09.t-online.de [188.8.131.52])
(using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN
"mailout00.t-online.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by
X (Y) with ESMTPS id X for
; Thu, 7 Jul 2016 X
Received: from fwd10.aul.t-online.de (fwd10.aul.t-online.de [172.20.26.152])
by mailout09.t-online.de (Postfix) with SMTP id X for
; Thu, 7 Jul 2016 X
Received: from [127.0.0.1] (Z@[184.108.40.206]) by fwd10.t-online.de with TLSv1:DHE-RSA-AES256-SHA encrypted) esmtp id X; Thu, 7 Jul 2016 X
Date: Thu, 7 Jul 2016 X
Subject: firstname.lastname ; Aufforderung zur Bezahlung von Rechnung #EU932451 von X
If we can trust the email header, the email has been sent through t-online by a broadband IP address in Russia (220.127.116.11 - OJSC Rostelecom, Russia). The email subject varies:
emailaddress: Offene Rechnung ist verfügbar (#
emailaddress, Offene Faktur ist überfällig (# 17285838)
emailaddress, Offene Warenrechnung ist überfällig (ID 09608490)
emailaddress - Aufforderung zur Begleichung von Rechnung #J007631 von XYZ
emailaddress - Aufforderung zur Begleichung von Ausgangsrechnung #EU985390 von XYZ
emailaddress : Aufforderung zur Bezahlung von Rechnung #W738296 von XYZ
emailaddress - info, Die Fälligkeit Ihrer Rechnung 1879590 für XYZ
emailaddress partner: Ihre Abrechnung ist überfällig (# 15238847)
The spam email look like this, but may vary:
Dridex spam sample (click to enlarge)
The attachment name varies and depends on the name of the recipient. Once the malicious office document is opened and the macros executed, Dridex payload will be downloaded from a compromised website.
To prevent becoming a victim of Dridex or other malware that is being distributed via malicious office documents, we recommend the following actions:
For private users:
- Be careful when receiving emails from strangers or suspect invoices via email. In case of doubt, call the sender or contact him via email to verify the purpose of the email.
- Never execute macros in office documents you have received via email, even when the sender asks you to do so. Macros may harm your computer!
- Always keep your Antivirus software up to date. If you use a non-free Antivirus, make sure that your Antivirus is licensed and if not, renew it or switch to a free Antivirus software to receive full protection. Otherwise the virus protection will expire and you will no longer be protected against threats.
- Regularly make a backup of your data. The backup should be stored offline, i.e. on an external medium such as an external hard disk. Thus make sure that the medium where the backup is saved is disconnected from the computer after the backup procedure is complete.
- For payments or wire transfer issued via ebanking, make use of collective contracts. By using collective contacts, every wire transfer need to be signed an authenticated by a second ebanking contract / login. Ask your bank about the use of collective ebanking contracts.
- Use a dedicated computer for ebanking (no surfing in the internet , email etc).
- Block the receipt of dangerous email attachments on your email gateway. These include among others:
- Make sure that such dangerous email attachments are also blocked, if they are sent to recipients in your company in archive files such as ZIP, RAR or even in encrypted archive files (e.g. in a password-protected ZIP file).
- In addition, all email attachments containing macros (e.g. Word, Excel or PowerPoint attachments which contain macros) should be blocked on the email gateway as well.
- You can obtain additional protection against malware for your IT infrastructure by using the Windows AppLocker . By using the Windows AppLocker, you can specify which programs can be run on the computers in your company.
.bat (Batch file)
.exe (Windows executable)
.cpl (Control Panel)
.com (COM file)
.pif (Program Information File)
.vbs (Visual Basic Script)
.ps1 (Windows PowerShell)
Indicator of Compromise (IOCs)
Dridex payload delivery URLs (fetched by the malicious documents that are being spammed out):
Dridex payload (malware samples):
winword.dat (MD5 2eaf243bad4b1c22089e7654524f0e5a)
office.bin (MD5 66e9ff85c9361127cd4b873d48008c9b)
Initial Dridex botnet C&C nodes (compromised servers):
Additional Dridex botnet C&C nodes (compromised servers) - via Dridex configuration file:
Dridex redirect / webinject server (compromised server):
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in sharing information as one of the most powerful countermeasures against such threats; this is the main reason we publish this report not only within our constituency, but to the public as well.
The attackers have been using malware from the Turla family, which has been around for several years. This malware family is still under active development and used in the wild. We provide an analysis, as well as relevant IOCs to detect this threat, and try to give an insight on how the attackers infiltrate a network, move laterally, and exfiltrate data. It is interesting to see the clever design of their fingerprinting to exclude any victim not on the target list. Another impressive observation is the patience shown during the lateral movement. However, it is important to emphasize that attackers also make mistakes and have their weaknesses, so there is always an opportunity for the defenders to detect them.
Links to the reportTechnical Report about the Malware used in the Cyberespionage against RUAG
Technischer Bericht zur eingesetzten Schadsoftware beim Cyberangriff auf die RUAG
Rapport technique sur le maliciel utilisé lors de la cyber-attaque contre RUAG
Rapporto tecnico sul software nocivo utilizzato nell’attacco cyber contro la RUAG