An attacker is going to a lot of trouble to post spam messages to Craigslist.
Researchers at Solera Networks have come across an attack where malware is using compromised machines to post poorly worded ads for an Android application marketed at parents for the purposes of monitoring the activities of their teens. The software reportedly tracks the device’s location, as well as SMS and phone logs.
Three command and control servers have been discovered and are linked to this attack; while two of them are privately registered, a third is registered to a U.S.-based individual with the same name, city and state as the person on the manifest for the StealthNanny app in question, said Andrew Brandt, director of threat research.
While the attack isn’t especially malicious and likely to be flagged as a potentially unwanted application by most antivirus products, it does go to great lengths to bypass Craigslist’s spam prevention mechanisms. For example, before an ad goes live on Craigslist, the submitter must click on a link in a separate validation email sent from Craigslist. The malware retrieves that email from Craigslist from a domain called myemail3[.]info that hosts the three C&C servers. Brandt said the full text is delivered, including headers and the message.
“The bot goes through the log, parses out the validation links from Craigslist and clicks them,” Brandt said. “That makes it live and bypasses their spam filtering.”
Compromised machines, meanwhile, are able to make only one post per day, or in some cases, only one post per infected machine. Brandt said the attacks have been going on for a few weeks and the posts do get flagged as spam fairly quickly. Posts are made to random categories on Craigslist, some that make sense such as baby and kid stuff, and others that don’t in categories such as tickets for sale.
Brandt said he is unaware of how the initial infection happens; he first saw the attack on the Emerging Threats list. Researchers there shared a Snort signature for this attack and a link to download the malware being used. Brandt said he did so on a number of virtual machines and each time the malware connects to a command and control server which returns data that includes an Outlook.com email address and password, and the body of the Craigslist post. It also does an SSL connection to Craigslist and uses its internal systems to figure out the best local Craigslist where to post, Brandt said.
Brandt added that the initial infection vector is still unknown, but there is a link that’s is being promoted that encourages the victim to visit a site to look at images. The images on the attack site are broken and the user sees a pop-up informing them of a missing plug-in called Adobe Photo Loader, which does not exist. When the user clicks on the installation link, the malicious executable is pushed to their machine.
“I haven’t seen the front end of this attack, I don’t know how people get there,” Brandt said. “But it is checking its email inbox with dozens of messages in there, so the guy is getting infections.”
He’s also dropping two other pieces of malware, one an ad clicker that’s likely part of a click-fraud campaign, and another that is just checking in repeatedly with a command and control server.
Brandt said he has tried to reach out to Craigslist to no avail; an email from Threatpost was not answered in time for publication either. In the meantime he said he is compiling a list of Outlook addresses from the bot and plans to share those with Microsoft.
“This is not a massive attack, but it’s interesting to me to see the lengths people will go through to bypass spam filtering on a service,” Brandt said. “It seems like it’s becoming more common for malware that’s purpose-built to become commonly available to use.”
