Cutwail-Like Spambot Hides Malicious Activity in its Traffic

A spambot that behaves similarly to the Cutwail botnet has been discovered. It not only sends out spam messages, but also contains a data-stealing component. Researchers said the malware sends out a good deal of traffic and hides its malicious activity in its own traffic.

A new spambot has been discovered that generates copious amounts of HTTP POST and GET requests in an attempt to disguise what it’s really up to and throw off the scent of detection capabilities.

“In this case, it seems like it’s trying to hide impactful communication where there are actual payloads among innocuous requests don’t contain anything noteworthy,” said Ed Miles, a senior software engineer, malware research at Dell SonicWALL. “It’s hiding itself in its own traffic.”

The spambot, identified as Wigon.PH_44 by SonicWALL, is being served on compromised websites hosted on the WordPress platform. To date, there are up to 200 sites serving the malicious executable and Miles said that SonicWALL has recorded 15,000 hits in the wild on the malware signature, most of those in the United States.

The Trojan infects Windows machines, including Windows 8 64-bit systems, and not only sends spam, but researchers have also found a data-stealing component that searches victim computers for email and FTP applications such as CuteFTP, FTP Commander, FTP Navigator, FileZilla and more.

Miles and colleague Deepen Desai, a senior security researcher, also note that the malware has similarities to the Cutwail botnet, but aren’t ready to call it a variant yet.

“We were seeing the malware getting the [spam] email templates as part of the HTTP request, but they’re in an encrypted format; that is one of the things we have seen in the past with Cutwail,” Desai said. “I would say it’s too early to call it Cutwail, but based on the behavior we’ve documented, it seems similar.”

Cutwail is one of the most established spam botnets, and most prolific, sending at one point, millions of spam messages daily. It was two million compromised machines strong and used to distribute spam and financial malware targeting not only credit card data but credentials.  The Cutwail emails often included links that would lead victims to sites hosting the Blackhole Exploit Kit, which would then inject downloaders for other malware such as ZeroAccess or Zeus.

Victims in the campaign uncovered by Dell SonicWALL are infected via drive-by download attacks from the compromised WordPress sites. Miles and Desai said they had no information on how the WordPress sites were compromised or what the vulnerabilities may be. Once it’s established a foothold, it connects to a command server and receives other instructions that include orders to spam out other malware families, the researchers wrote on the company blog.

Spambots and financial botnets have regressed a bit since the downfall of the Blackhole exploit kit, Cutwail included. When its alleged creator, a Russian named Paunch, was arrested in October, Blackhole and Cool, another alleged Paunch project, disappeared along with him. Cybercriminal gangs relied for years on Blackhole and its various webinject components to compromise websites and redirect victims to dangerous malware such as Zeus and ZeroAccess, both of which are prolific and handy at emptying bank accounts.

Now that Blackhole is gone, security researchers noticed that some gangs had upped their use of direct attachments in spam and phishing emails to spread malware such as Zeus—a much less efficient means of making a profit, experts said. Some gangs too, were not only pushing financial Trojans, but also ransomware such as CryptoLocker and PowerLocker in an effort to quickly regain revenue until a viable alternative to Blackhole emerged.

Cutwail was one such instance, researchers at Websense said, adding that some criminal outfits have tested the waters with a number of exploit kits including Neutrino, Nuclear Pack and Magnitude. Magnitude was poked and prodded by the Cutwail gang, Websense said, before it decided instead to rely upon emails containing malicious .zip files, numbers of which shot up in the wild.

Suggested articles