Fake email “Domain Name ****.*** have been suspended”


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Domain Name *****.*** have been suspended”.

This campaign comes in different variants and is targeting domain name owners and is active since a few days now and emerges from time to time in our logs.

The emails contain the name of the domain registrar and a link to download the malware. This malware is hosted on several different web sites and contains also the domain name in the file name.

Some examples:

This email is send from the spoofed address “”Hosting Concepts B.V. d/b/a Openprovider” <abuse@registrar.eu.ut>” and has the following body:

Dear ****** *******,

The Domain Name *****.*** have been suspended for violation of the Hosting Concepts B.V. d/b/a Openprovider Abuse Policy.

Multiple warnings were sent by Hosting Concepts B.V. d/b/a Openprovider Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,

Hosting Concepts B.V. d/b/a Openprovider

Spam and Abuse Department

The embedded URL leads to studiocovre.it/abuse.php?*****.*** that downloads the file *****.***_copy_of_complaints.pdf.scr.

 

This email is send from the spoofed address “Vautron Rechenzentrum AG <abuse@vautron.de.ka>” and has the following body:

Dear ***** ******,

The Domain Name *****.*** have been suspended for violation of the Vautron Rechenzentrum AG Abuse Policy.

Multiple warnings were sent by Vautron Rechenzentrum AG Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,

Vautron Rechenzentrum AG

Spam and Abuse Department

The embedded URL leads to sfd-fussball.de/abuse.php?*****.*** that downloads the file *****.***_copy_of_complaints.pdf.scr.

 

This email is send from the spoofed address “”Eurodns S.A.” <legalservices[at]eurodns.com.tz>” and has the following body:

Dear Manager Domain,

The Domain Name *****.*** have been suspended for violation of the Eurodns S.A. Abuse Policy.

Multiple warnings were sent by Eurodns S.A. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,

Eurodns S.A.

Spam and Abuse Department

The embedded URL leads to studiocovre.it/abuse.php?*****.*** that downloads the file *****.***_copy_of_complaints.pdf.scr.

The trojan is known as Trojan/Win32.Cryptowall, a variant of Win32/Injector.CLXA, UDS:DangerousObject.Multi.Generic or Trj/CryptoWall.C

At the time of writing, 9 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 2af8e283e75f2248e2a8193012acc34822149b9d1ab2290142ea225138153af1

2 thoughts on “Fake email “Domain Name ****.*** have been suspended”

  1. Howdy! This article couldn’t be written much better! Going through
    this article reminds me of my previous roommate!

    He constantly kept talking about this. I will forward this post to him.
    Fairly certain he’ll have a very good read. Many thanks for sharing!

Comments are closed.