Contributor: Joseph Graziano
Since early January 2015, Symantec has been seeing multiple instances of short-duration, high-volume spam attacks targeting millions of users at a time. While these attacks last only a few minutes at a time, the vast number of emails sent during each burst was interesting.
These attacks are related to the growth in link spam that we blogged about in December 2014, which saw attackers change their tactics and move towards sending users malicious links instead of malicious attachments. Similar to the previous spam campaigns, these recent bursts of malicious emails are also linked to the Cutwail botnet (Trojan.Pandex) and contain malicious URLs that lead to Downloader.Upatre, which in turn leads to the financial Trojan Infostealer.Dyranges (Dyre) being downloaded to the computer. However in some cases, instead of being sent to a site serving malware, users were sent to a phishing page. Ultimately, however, it seems the attackers’ goal is to steal information from victims’ computers as Infostealer.Dyranges is known to steal financial information and the phishing sites used in the attack campaign are masquerading as login pages for financial institutions.
Email characteristics
Typical spam emails associated with these attacks use commonly seen techniques such as appearing to come from a spoofed company or institution or from an “Administrator” for example. The subject lines will often grab the user’s attention with something like “Important information about your account” and the body of the email will contain text in relation to this.
Figure 1. Spam email example
The aim of the email, however, is to get the recipient to click on the included URL, which will either lead to malware or a phishing page.
The attacks all use the same URL structure made up of a compromised legitimate domain.
Malicious URL examples:
- http://[COMPROMISED DOMAIN].com/…/settings.html
- http://[COMPROMISED DOMAIN].com/…/get_doc.html
- http://[COMPROMISED DOMAIN].com/…/cservices.html
After the click
Once a user has clicked on the URL included in the spam email, they are sent to a landing page that references an external JavaScript (JS) file (multiple copies hosted on different compromised servers are referenced as a redundancy measure: if one of the files is removed or blocked, the other copies help to ensure the attack can continue).
Figure 2. Landing page referencing several external JS files
The referenced URLs look like they point to legitimate JQuery files. JQuery is a popular JavaScript library used for implementing web UI features and is often self-hosted by websites. URLs pointing to JQuery files are not uncommon in HTML code so the script tags used here would not look out of place at first glance. From our observations, these URLs that are apparently pointing to static JS files do not actually return static content. Each request to the same URL can return different content, which is typically highly obfuscated JS code. Because of this, it’s safe to say that there is likely a dynamic web service such as a PHP script responding to these requests.
Oddly, the returned JS is obfuscated using JJEncode, an obfuscation method that even its creator advises against using due to the fact that it is inefficient, can be easily detected, and only works in certain browsers.
Figure 3. JavaScript obfuscated using JJEncode
Even after the JJEncode obfuscation is removed, the code still uses randomly-generated variable and function names, for example IGwuqKiID3rPJb.
Figure 4. Deobfuscated code with randomly-generated variable and function names
The JS code inserts another script tag to the HTML landing page, referencing the same external JS URL as before, but this time with extra parameters. The server then checks these parameters to ensure that the malware or phishing page is served only to suitable web browsers. If the checks—which look at browser type, operating system, and screen resolution, among other things—pass, a .zip file containing the malware is served. This .zip file contains an executable file which must still be extracted and executed for the computer to be infected. If the checks fail, instead of malware or a phishing page, the web page is updated with garbage text.
Figure 5. Example of garbage text displayed on unsuitable browsers
The executable file in the .zip file is the malware Downloader.Upatre. Once installed on the compromised computer, Upatre downloads the Dyre (Infostealer.Dyranges) financial malware.
Figure 6. How the attack works
Protection
Symantec is still observing these high-volume, short-duration link-spam attacks regularly. However, our antispam technologies are successfully blocking these spam emails from reaching our customers. These spam attacks send millions of emails in short bursts in an attempt to catch people off guard. Ultimately, the attackers’ end goal is to steal financial information, either from phishing or the installation of financial malware.
Symantec advises users to be on their guard and to adhere to the following security best practices:
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails.
- Avoid clicking on links in unsolicited, unexpected, or suspicious emails.
- Avoid opening attachments in unsolicited, unexpected, or suspicious emails.
- Keep security software up-to-date.
Symantec and Norton protection
Antivirus:
Intrusion Prevention System:
Symantec.cloud customers are protected by Skeptic and antispam heuristics. Symantec Messaging Gateway and Symantec Messaging Gateway for Service Providers customers are also protected.
For further monthly statistics on the threat landscape, you can also check out our Symantec Intelligence Report.