While analyzing the activity of the Waledac (W32.Waledac) botnet, researchers at Symantec have observed that it was recently used in a “pump and dump” stock spam campaign, potentially earning cybercriminals tens of thousands of dollars.
The botnet, which is also known as Kelihos or Hlux, has been around since 2008, and managed to survive several takedown attempts. After Microsoft announced that they successfully took down the botnet in September 2011, estimated at the time to have around 41,000 bots, Dell SecureWorks had a closer look and revealed in April 2012 that the botnet had already resumed activity.
Waledac has been used for a variety of purposes, such as the downloading and running of malicous executable files, denial of service (DoS) attacks, network proxy activities, collection of credentials from compromised computers, and more. However, the main role of the botnet was related to spam, soemthing that appears to have not changed over time.
Symante’s researchers note in a blog post that the newly observed pump and dump stock spam campaign involving Waledac might have led to a 100 percent gain in the targeted stock price. The security researchers also discovered that the targeted stock was Indie Growers Association (stock symbol: UPOT), a very small company linked to the cultivation of marijuana.
The company was supposedly chosen for this campaign for its historical skyrocketing stock price, and Symantec observed that cybercriminals behind the Waledac botnet worked on pumping the stock price for about two weeks, starting Nov. 7, 2015. Daily spam runs promoting the UPOT stock were observed over an 11-day period, until Nov. 18, 2015, the researchers say.
Waledac botnet was observed in a controlled environment attempting to send over 35,000 spam emails from a single bot, between October 22 and November 18, 2015. Symantec observed a total of 141 unique email subjects being used and concluded that the emails were related to stock pump and dump, click fraud, scams, phishing, and money mule recruitment.
However, most of the email subject lines were related to stock pump and dump activity, and the analysis of the number of emails also revealed that the majority of emails were related to this activity too. What cybercriminals were trying to do is to artificially inflate the stock price through promoting false and misleading positive statements related to the stock.
The security firm explains that perpetrators involved in such scams usually buy a set of shares from the targeted company at a cheap price, and then start promoting them to inflate the price and sell them higher. This type of practice has been used before and is viewed as fraud.
The Waledac pump and dump stock spam campaign ran over an 11-day period starting with Nov. 7, when the UPOT stock price was trading at just $0.08 per share. Two days later, it was found that UPOT has been displaying unusual trading activity, with nearly 300,000 shares being shifted in a single day’s session, reaching $0.12 cents, up from its prior close of just around $0.06.
Symantec explains that the UPOT stock price increased from $0.08 to $0.16 by the end of the daily spam runs on November 18, just before the pump and dump pattern of dropping off in price once again. The security company estimates that the perpetrators being the campaign may have made tens of thousands of dollars, a figure that might have kept the operation under the radar of the US Securities and Exchange Commission (SEC).
The newly observed Waledac activity reveals that the botnet continues to be one of the most prevalent spam botnets on the threat landscape and that it is being used for a variety of scams. Despite multiple takedown efforts, it continued its existence and is unlikely to disappear from the threat landscape in the near future.
Furthermore, Symantec notes that use of pump and dump stock spam remains an effective means for fraud. According to the security researchers, their analysis of the Waledac botnet spam is only one example of such activity, and other pump and dump stock spam fraud could be delivered through the Waledac as well.
After Microsoft’s takedown effort in September 2011 (Kaspersky Lab, SurfNet and Kyrus Tech also contributed), security firms rallied to attempt another attack against Waledac/Kelihos in March 2012 (), an operation that involved Kaspersky Lab, CrowdStrike, Dell SecureWorks, and members of the Honeynet Project.
However, tens of thousands of devices were revealed to be active in the botnet even after the second takedown. In August 2014, security firm BitDefender warned of attacks targeting Russian victims aimed at infecting devices with the Kelihos malware, and Symantec revealed just weeks later that the botnet was being used in a phishing campaign targeting Apple IDs, which might have led to the accounts of a number of celebrities being compromised.