Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Voice Message Notifications Deliver Ransomware SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Voice Message Notifications Deliver Ransomware

Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications.

Here is an example displayed in Microsoft Outlook:

Today, I received a wave of emails like the following:

To: [redacted]
Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25

Dear [redacted]:

There is a message for you from 01422520472, on 2016/08/23 15:55:25 .
You might want to check it when you get a chance.Thanks!

The sender is spoofed with the victim domain name. The following file was attached to the message: 

$ unzip
    testing: 197577509502.wsf         OK
No errors detected in compressed data of
$ md5sum 197577509502.wsf
f2ee33a688a45b161d3191693196cb1d  197577509502.wsf

Note the '' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]

Vigor is UK company building ADSL residential modems[2]. This tends to think that the new wave is targeting residential customers.

Here are the C2 servers (for your IDS):


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Threat Hunting London 2022


652 Posts
ISC Handler
Aug 23rd 2016
We've been seeing greylist entries with from addresses of voicemail@ several of the domains we serve, all of them originating outside our network of course.

The current count is approx 150, but we'll keep monitoring of course.

I've already submitted the list of IP addresses separately.

Please let me know if you would want me to set up a periodic refresh or if you would like further data such as spamd log extracts.

- Peter

PS (update 2016-08-24) final count is 207 unique IP addresses attempting to deliver, none got past our greylisting. A writeup with data and some massaging may follow soonish, time allowing (check back at

4 Posts
Thanks for posting events like this!

We saw the same exact campaign this morning at our company
12 Posts
Sanesecurity phish.ndb blocked 2,213 of them so far today as Sanesecurity.Malware.26295.JsHeur

foxhole_js.cdb and foxhole_filename.cdb also blocking them.

21 Posts
I have been noticing an abnormal amount of war dialing activity as well on my 25+ year old same number land line

67 Posts
what kind of IDS rules or policies should i be adding these IPs to? Total noob alert...!
1 Posts
I finally got the promised writeup done, with slightly better researched numbers and some data on where the traffic came from.

It's up at

4 Posts
Out of necessity to cover our own needs and protect our clients we created an application called RansomSaver, it is an Outlook add-in and basically what it does is moves new incoming infected email to a folder under the deleted items called RansomSaver. We provide this software for free and with no strings attached.

To download or see further information regarding RansomSaver please visit

2 Posts

Sign Up for Free or Log In to start participating in the conversation!