Spammers are turning to an old technique known as hailstorm to slip past anti-spam and anti-malware filters. Researchers say that hailstorm spam, first spotted in 2008, has been improved and is once again being used, only this time to spread Dridex banking malware and Locky ransomware.
“Hailstorm attacks have become much more prevalent in 2016,” said Jaeson Schultz, technical leader with Cisco Talos. According to Schultz, hailstorm campaigns have evolved over time as well, moving from just hawking affiliate offers to new campaigns attempting to compromise business email systems, perpetrate identity theft and push drive-by downloads.
Hailstorm is a derivation of the even older snowshoe spamming technique where massive spam attacks are launched over an extended period of time from across thousands of IP addresses, but at low volumes per IP address. The technique attempts to evade e-mail reputation or volume-based spam filters.
Hailstorm is an evolution of snowshoe, wrote Cisco Talos researchers in a technical description of the reemergence of spamming technique. It also utilizes multiple IP addresses to send spam, however unlike snowshoe spam, hailstorm campaigns are sent out in extreme high volumes over a short time span, according to Cisco Talos.
“Hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response,” researchers said. The DNS query volumes for a domain involved in a typical snowshoe attack is 35 queries per hour. With hailstorm the DNS query volumes go from nothing, spikes to over 75,000 queries per hour, then drops back down.
“It is difficult to say precisely why spammers have evolved to using more hailstorm spam campaigns,” Schultz said. “It could be that anti-spam systems have improved to the point that spammers are finding it increasingly difficult to evade them, except by extreme means such as hailstorm.”
Researchers say in its most recent incarnation, hailstorm has matured and now attacks utilize a wider range of IPs addresses located in the US, Germany, Netherlands, Great Britain and Russia.
More damaging, said Schultz, are hailstorm’s payloads. “The Necurs spam botnet uses hailstorm techniques to propagate both Dridex banking malware and Locky ransomware,” he said. “On some days we have seen spam from Necurs hailstorm campaigns making up almost two-thirds of all spam for the entire day.”
In one example of a phishing message sent via a hailstorm campaign, spam claimed to be the United Kingdom’s Companies House and tried to lure the recipient into opening a malicious Word document named “Complaint.doc.” The document contains a macro that if enabled would download and execute the Dyre or the banking Trojan TrickBot.
“Hailstorm comes in several flavors. We expect to see it evolve over time as anti-spam systems make it harder and harder for spammers to deliver their payload,” researchers wrote.