In a recent analysis of Waledac (W32.Waledac) activity, Symantec observed a pump and dump stock spam campaign that potentially led to a 100 percent gain in the targeted stock price. The targeted stock in this case was Indie Growers Association (stock symbol: UPOT), a company linked to the cultivation of marijuana and was carefully chosen for its historical skyrocketing stock price.
Waledac (also known as Kelihos) was first seen in 2008 and is a botnet that seems to have nine lives, having already survived several takedown efforts. Over the years, Waledac’s functionality has seen it download and run executables, act as a network proxy, collect credentials from compromised computers, and perform denial of service (DoS) attacks. Although such a wide range of functionalities has been associated with Waledac, the main role of the botnet remains related to its spamming activities.
Between October 22 and November 18, 2015, Symantec observed, in a controlled environment, the Waledac botnet attempting to send out 35,361 spam emails from a single bot. Analysis of the spam emails showed a total of 141 unique email subjects being used. Further analysis showed the emails being related to stock pump and dump, click fraud, scams (e.g. lonely hearts), phishing, and money mule recruitment.
Figure 1. Number of unique email subjects used by Waledac and grouped by theme
We found that the majority of the email subject lines were related to stock pump and dump activity. Similarly, when counting the number of emails sent by subject type, we found that the majority of emails were related to stock pump and dump spam.
Figure 2. Number of spam emails sent by Waledac
More recent analysis of spam originating from the Waledac botnet has shown that at this time it is spamming out pharmacy-related spam.
Pump and dump spam campaign
Pump and dump scams involve the artificial inflation of a stock price through the promotion of false and misleading positive statements relating to the stock. Perpetrators of such scams buy shares in the promoted stock cheaply (usually penny stocks) with the aim of selling the stocks at a higher price, thus making a tidy profit. This type of practice is not new and is viewed as fraud.
In the case of the Waledac pump and dump stock spam, starting on November 7, 2015, we observed daily spam runs promoting the UPOT stock over an 11-day period.
Figure 3. Examples of spam emails observed
On November 7, the UPOT stock price was trading at US$0.08. Historically, the UPOT stock price has traded at higher prices and in the last year has traded at $0.59.
Figure 4. UPOT share price over one year (Source: Google Finance - Yahoo Finance - MSN Money)
Just prior to the start of the spam campaign, trading of UPOT stocks had plateaued. Two days after the spam campaign started, StockMarketMonitors.com published the following post:
UPOT, Indie Growers Association, displayed unusual trading activity shuffling nearly 300,000 shares in today’s session up nearly 100% intra-day slapping .12 cents, up from its prior close of just around .06 cents.
By the end of the daily spam runs on November 18, the UPOT stock price had risen from $0.08 to $0.16 before following the classic pump and dump pattern of dropping off in price once again.
Figure 5. UPOT share price over three months (Source: Google Finance - Yahoo Finance - MSN Money)
While it’s difficult to put a figure on the profit that the perpetrator of this pump and dump scam may have made, given the volume of shares traded around this time we would estimate it to be potentially in the tens of thousands of dollars. This figure may be just enough to stay under the radar of the US Securities and Exchange Commission (SEC).
A persistent threat
The Waledac botnet continues to be one of the most prevalent spam botnets on the threat landscape, pushing a variety of scams. Its continued existence and resiliency against takedown efforts over time shows that Waledac is not likely to disappear off the threat landscape anytime soon. This blog has shown that use of pump and dump stock spam continues to be an effective means for fraud. Symantec’s analysis of the Waledac botnet spam is only a snapshot in time and it is likely that other pump and dump stock spam fraud is being delivered through the Waledac botnet.
Customers of Symantec’s Cloud email security service are protected against these spam messages. Symantec and Norton products detect Waledac samples through the following detections:
Intrusion prevention system