In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.
You may have seen email with subject lines containing verbiage on FedEx deliveries, court notices, or even toll road charges:
By examining the email headers, we can see that these initial lures are being sent from a webserver utilizing a PHP script, revealed by the “X-PHP-Script” tag:
PhishMe researchers were able to retrieve the PHP server-side code behind this script, pictured below (Figure 3). The script works by accepting the POST variable of code that is base64 decoded, and then evaluates for code execution. The lack of input validation for this code block makes it susceptible to remote code execution vulnerabilities.
During our four-day observation of this on-going malspam campaign, we have seen 20,000 email messages sent from this single website alone. The source IP addresses that are using this PHP script to send the malspam are:
18.104.22.168 (XenEurope VPS, Netherlands)
22.214.171.124 (bsnews.it, Italy)
126.96.36.199 (Verygames.net, France)
var b = “les-eglantiers.fr ckindustry.com sdcpower.com”.split(” “);
Over the past week, PhishMe has observed the following IP addresses and domains serving as the initial download document.php sites for these malware campaigns:
The document.php server-side code (Figure 4) first ensures the request is coming from a Windows OS or otherwise exits. There is also a campaign tracking function that records the victim’s external IP address and browser information to the file document.txt located in the same directory on the webserver. The rnd GET parameter’s value will always contain a 1, 2, or 3 in the last digit that denotes the binary file being requested on the webserver (i.e. 1.bin, 2.bin, and 3.bin respectively). Finally, in the last decision code block, the malware is served to the client as a randomly named GIF file. These executables can also be directly accessed from the webserver, thereby bypassing any download restrictions imposed by the document.php file.
Another post.php script was spotted in the same directory on these compromised webservers hosting the document.php files. The code is very similar to the post.php mailer file mentioned above; however, this script requires the POST variable of pass that acts as authentication and whose value is unique on each website:
PhishMe observed code remotely being executed using this post.php script that contained the following characteristics:
- Performs MD5 checksums on the webserver *.bin
- Retrieves the records of the txt campaign tracking information then erases it.
- Replaces the malware installer *.bin files with freshly packed executables every ten minutes in an effort to evade checksum or AV signatures.
- The same IP addresses mentioned above sending the malspam were also the source of this traffic.
PhishMe was able to retrieve the access logs going back one month for one of the document.php malware download sites and mapped the potential target list based on the geolocation of ~2500 unique IP addresses, pictured below. It would seem that the United States is being targeted more than any one country:
All of the websites hosting the post.php and document.php files have been compromised for over a year. There does not seem to be a common CMS platform or PHP framework installed that may have been used as the initial exploitation vector. The IP addresses controlling the mailer and initial download sites mentioned above belong to a VPS provider or a shared-hosting network. This finding may indicate a Tier 2 hierarchy style of botnet consisting of additional, compromised servers. The frequency at which these malware lures are being spammed out and the constant re-packing of executables present a great challenge for the Antivirus industry’s attempt in protecting their user base from this attack. Luckily, PhishMe’s Triage customers are protected by this threat via Yara rule PM_Zip_with_js and PM_Email_Sent_By_PHP_Script, which can be downloaded here.