Command and control servers are located in Russia

Jan 30, 2015 11:10 GMT  ·  By

A flurry of malicious emails started to hit the inboxes of users in Switzerland on Tuesday, researchers say, delivering a version of banking Trojan Tinybanker.

The origin of these messages is Cutwail spam botnet, a security researcher says, a network of infected computers commandeered for the purpose of distributing different types of malware.

Version of Tinba with no DGA

Also known as Tinba, Illi and Zusy, Tinybanker gained popularity as the smallest banking Trojan, having about 20KB in size. However, besides its small size print, the malware also stood out through its functionality, which rivaled that of larger threats of the same kind.

According to Abuse.ch, the version of Tinba currently distributed through Cutwail does not rely on a domain generation algorithm (DGA) to obtain the addresses for the command and control (C&C) servers; instead, the IPs are hard coded in the malware.

This aspect is quite relevant in the fight against the threat because, if the C&C servers are taken down, then the cybercriminals no longer have access to the data stolen from the compromised systems.

At the moment, two out of four C&C servers have been sinkhole and the others point to machines located in Russia.

Three distinct spam campaigns have been observed by the security researcher, one pretending to be from Bluewin (main Internet provider in Switzerland), another posed as an MMS notification claiming to come from Orange telecom provider, while a third one masqueraded as an application for a job position.

All the fake communication (absence of umlaut should raise suspicion) is created to lure the recipient into opening the content of an attached archive.

Cutwail also distributes Dyre banking Trojan

Upon analyzing the IP addresses used for sending the messages, the researcher discovered that they all belonged to computers in the Cutwail botnet.

Earlier this week Symantec also detected aggressive activity related to Cutwail as researchers recorded short, but heavy bursts of spam being sent out to potential victims.

They said that the charges lasted for just a few minutes and targeted millions of users, who received a version of a different banking Trojan, Dyre (also known as Dyreza), or were directed to a phishing page.

An interesting change of pattern observed by the researchers was that the messages did not carry a malicious attachment as it was usually the case but instead included a link that led to downloading the malware.

Fake emails (3 Images)

Fake email from Bluewin
Fake email from OrangeFake job post application
Open gallery