Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do not have malware attachments, instead the payload is delivered via links to malicious code hosted on the web.
The subject lines used in the Facebook spam campaign are similar to those in the image below. Notice that they use varying letter case and random Facebook profile names.
The message body may look like a legitimate Facebook notification. However, further inspection reveals the underlying link redirecting to a malicious webpage.
Another campaign spammed out by Cutwail claims to be a flight ticket order. The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image below.
Here is an example of the message:
There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.
Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”.
The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications.
If you are a system administrator, you may want to block the following exploit kit landing pages.
- crredret[dot]ru/main.php
- www[dot]btredret[dot]ru/main.php
- bqredret[dot]ru/main.php
At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the Bobax spambot on to our vulnerable hosts.
Leave a reply
