top of page

Marktonderzoek groep

Openbaar·8 leden
Elisha Osipov
Elisha Osipov

Spam Bot.exe !!HOT!!

Although trojans typically target individuals to steal bank account credentials, the TrickBot trojan was being used to deliver secondary malware in a similar way to what is detailed in this research. The difference from the campaign mentioned in this research is that as this campaign uses TrickBot to steal sensitive information, it also deploys Ryuk to ransom victims data. Criminals targeting large enterprises used spam emails to deliver the Emotet trojan in order to distribute the TrickBot malware. Once a machine is infected with the TrickBot malware, it begins to steal sensitive information and the criminal group tries to determine if the company is an industry target. If so, they deliver the Ryuk ransomware.

Spam Bot.exe

Recently, several malware families have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner.

In December, Trustwave discovered that Formbook malware was being delivered through spam emails containing OneNote attachments. Since then, various malware families, including Redline Stealer and Asyncrat, have started incorporating OneNote attachments in their spam campaigns. Cyble Research Intelligence Labs (CRIL) has also noticed that the Qakbot malware uses OneNote attachments in their campaigns.

The initial infection starts with a spam email containing a OneNote attachment. When the user opens the attachment, it drops an embedded .hta file executed by mstha.exe. This results in downloading a Qakbot DLL file, which is then executed by rundll32.exe. The below figure shows the Qakbot delivery mechanism.

Qakbot is a Prevalent and constantly evolving malware that can have serious consequences for its victims, such as financial fraud, identity theft, etc. In this case, the Qakbot malware spreads via spam emails containing OneNote attachments. Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.

In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, we identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP. We notified them before the release of this publication.

We believe the spambot is under heavy development and it has changed a lot since the first time we saw it. A mention about this threat was posted on Twitter by AnyRun; however, to the best of our knowledge no one has published a detailed analysis of it. We named this new malware Varenyky, and on July 22nd, ESET researchers saw it launch its first sextortion scam campaign.

The operators of a Trickbot spam campaign have found a new way to spread their digital infection: by using fears of a biological one. Spam targeting Italian e-mail addresses is playing on fears over the Coronavirus outbreak in that country.

Note that the message "Access Denied\r\nSorry, your IP has been identified as belonging to a spam bot or another annoying crawler" is a reply from your webserver when the Let's Encrypt validation server requested the token.

Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space.

The email threat landscape is constantly changing as new threats emerge or existing threats evolve over time. Over the past few years, Emotet has been one of the primary threats being delivered via malicious spam campaigns as we have previously described in detail several times. Following law enforcement disruption of the Emotet botnets, we've been waiting for another threat to fill the void left by Emotet's exit.