The campaign was spotted earlier this year, but Brad Duncan, a handler for the site and researcher with Rackspace’s information security operations center, claims he’s received a handful of notifications from other users who have seen the same emails, which prompted him to look into it again.
Once victims receive the spam emails, open the attachments, and run the .js files, they open themselves up to a slew of different types of malware, including Corebot, Kovter, and Miuref, according to a report Duncan published on SANS’ InfoSec Handlers Diary Blog.
Duncan first published something on the spam in July and despite there not being a huge shift in the campaign since, he decided to post an update Wednesday to stress how often the ISC has come across it.
“We’re still seeing it on a daily basis,” Duncan said of the emails when reached by Threatpost, “That means it’s a useful endeavor for the criminals behind this campaign. The same goes for any of the phishing campaigns we find from our spam filters on a near daily basis.”
Duncan claims the spam, which comes disguised as plaintext emails from American Airlines, FedEx, the IRS, and other phony sources, is being propagated via a botnet.
Duncan writes that the emails wouldn’t make it past most users’ spam filters but notes that hasn’t seemed to stop attackers from carrying out the campaign.
“Either a significant percentage of people will infect themselves given the chance, or enough vulnerable hosts exist that establishing or renting this type of botnet is dirt-cheap. Or both,” Duncan said.
Paul Burbage, a researcher with Phish.Me, took a deeper look at a botnet purportedly behind some of the malicious spam late last week. Burbage, who was able to retrieve the PHP server-side code from a script associated with one of the spam emails, believes the attackers behind the campaign are using an affiliate model to distribute malware via botnet, or exploit kit operators.