Botnet Reprieve Brings Massive Malware

Wednesday, February 22, 2012 @ 03:02 PM gHale

The Cutwail botnet, responsible for major spam campaigns, is making a comeback, and it shows with a hike in malware offerings.

There have been three peaks of malicious campaigns using HTML attachments for serving client-side exploits to users, said researchers at security company M86Security.

Waledac Botnet Returns
Hosting Site Stores Stolen Files
New Malware in New Botnet
Botnet Taken Down, then Resurfaces”

The campaigns in question:
• The FDIC “Suspended bank account” spam campaign
• The “End of August Statement” spam campaign
• The “Xerox Scan” spam campaign

Once the user downloads and views the malicious HTML attachment, JavaScript will unknowingly redirect him to client-side exploiting URL part of the cybercriminal’s malicious network, that’s currently relying on the Phoenix web malware exploitation kit.

The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts.

Most visitors came from the HTML files the cybercriminals spammed out. Of the over 4000 visitors, 15% ended up victimized.

Once the researchers obtained access to the command and control interface of the exploit kit, they noticed the majority of referrers were coming from “blank” referrer, meaning that these are end and corporate users who are downloading and viewing the malicious attachments on their PCs.

End users are advise to avoid interacting with emails used in these spam campaigns, as well as to ensure they’re not running outdated versions of third-party software running on their PCs, as well as their browser plugins.

Leave a Reply

You must be logged in to post a comment.