Spam

The RIG exploit kit recently stopped distributing Tofsee and cybercriminals have decided to use the botnet’s own spamming capabilities to deliver the malware, Cisco’s Talos team reported on Thursday.

Tofsee, a multi-purpose malware that has been around since 2013, allows cybercriminals to conduct various activities, including click fraud, cryptocurrency mining, DDoS attacks and sending spam.

Up until June 2016, cybercriminals distributed the malware using the RIG exploit kit and malvertising campaigns. Then, after the notorious Angler exploit kit disappeared from the scene, cybercriminals started leveraging RIG to deliver other payloads, which experts believe might have been more profitable.

After RIG stopped delivering Tofsee, cybercriminals turned to email spam campaigns to infect computers. Typically, the Tofsee botnet has been used to send spam emails advertising adult dating and pharmaceutical websites. However, in August, researchers noticed that the spam messages had changed and started delivering Tofsee malware downloaders.

The volume of these spam emails has gradually increased since mid-August, reaching more than 2,000 messages on some days in September, Cisco Talos reported.

The spammy emails are adult-themed and they purport to come from women in Russia and Ukraine. Recipients are instructed to download and open the ZIP archive attached to the messages as it allegedly contains pictures of the sender.

Instead of pictures, the archive contains an obfuscated JavaScript file that includes a WScript downloader designed to fetch and run an executable from a remote server controlled by the attacker. Once the file is executed, the system becomes infected with Tofsee.

The malware connects to various SMTP relays, which it uses to send spam emails. The threat also initiates HTTP connections as it simulates clicking on ads as part of its click fraud mechanism.

Since the demise of Angler, the RIG exploit kit has been used to deliver the SmokeLoader (aka Dofoil) backdoor and other malware. Its developers have been working on improving the kit with new exploits and command and control (C&C) patterns that could help it evade detection.

Earlier this week, researchers reported that RIG had taken the place of Neutrino in a massive malvertising campaign that delivered CryptMIC ransomware. The campaign had previously used Neutrino, which took the leading position after Angler disappeared.

Related: Cisco Targets RIG Exploit Kit

Related: Kaspersky Confirms Lurk Gang Developed Angler Exploit Kit

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The volume of spam email has increased significantly this year, being comparable to record levels observed in 2010. Researchers from Cisco Talos believe the increase has been driven mainly from increased activity of the Necurs botnet.

Over the past five years, spam volumes have been relatively low compared to 2010, when they reached an all-time high. However, it appears that this lull might have ended this year, as spam is on the rise once again. Citing data from the Composite Block List (CBL), Cisco Talos researchers note that 2016’s spam volumes are nearly as high as they were back in mid-2010.

Furthermore, the overall size of the SpamCop Block List (SCBL) over the past year shows a spike of more than 450,000 IP addresses in August 2016, although the SCBL size was under 200,000 IPs last year, Cisco says.

The surge in spam email volumes this year, researchers explain, can only mean that dedicated botnets have increased their activity. However, anti-spam systems can usually catch spam campaigns fast because botnets are using a non-targeted/shotgun approach. Even so, researchers say, attacks cannot be predicted before they start.

Responsible for this year’s spike in spam campaigns, Cisco says, might be the Necurs botnet, which was associated only several months ago with the Locky ransomware and the Dridex Trojan. When Necurs suffered an outage in June, Locky and Dridex infections came to a relative stop, but the ransomware returned with a vengeance when the botnet was restored three weeks later.

Both Necurs’ outage and the lack of activity behind Dridex and Locky were supposedly connected to the arrests in Russia related to the Lurk Trojan, which Cisco now confirms. Necurs was only one of the major threats to be silenced following said arrests, but its return also marked a major change in behavior, Cisco says.

“And not only had Necurs returned, but it switched from sending largely Russian dating and stock pump-n-dump spam, to sending malicious attachment-based spam. This was the first time we'd seen Necurs send attachments,” the security researchers say.

Also associated with the Lurk gang, the Angler exploit kit disappeared in June, taking EK traffic down along with it, which has determined threat actors to find new means to deliver their malicious payloads, and spam botnets appear to have become their main choice. Although new anti-spam technologies and high-profile takedowns of spam-related botnets have diminished spam volumes over time, it appears that this attack technique is once again popular among cybercriminals.

According to Cisco, Necurs remains a highly active spam botnet mainly because its operators have found an ingenious method to continue using infected hosts for many years. For that, they only send spam from a subset of infected machines, and then stop using these hosts for several weeks, to draw attention away from them and to trick security personnel into believing that the host has been cleaned.

“Many of the host IPs sending Necurs' spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks,” researchers say. “At Talos, we see this pattern over, and over again for many Necurs-affiliated IPs.”

And because spammers have only a small window of opportunity between the start of a campaign until anti-spam systems are deployed, they try to send as much email as possible to ensure that they can successfully land malicious email into their victims' inboxes.

“Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be critical to an organization's survival. Restoration plans need to be regularly reviewed and tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are never to be trusted,” Cisco says.

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed