‘Chameleon’ Spam Campaign Employs Randomized Email Headers

A large number of spam messages recently sent from the same botnet were observed featuring randomized headers and even different templates, with some emails resembling phishing, Trustwave reports.

Emails sent as part of this campaign, which Trustwave security researchers refer to as Chameleon, originated from all around the world (a list of source IP addresses has been posted online).

Initially, the messages claimed to arrive from an ex-colleague and appeared to link to a “job posting” or “job offer.” New spam waves, however, included systematically different messages.

The spam messages had similar unique email header and body characteristics, suggesting that they came from the same botnet.

Despite originating from geographically distributed sources, the messages used similar unique SMTP transaction commands on connection and had a short and meaningful email subject, as well as a brief email body, although it sounded important enough to hopefully convince the victim to click on the link.

The email header in these messages had unique features too, such as the fact that fields like From, To, Message-ID, Content-Transfer-Encoding and Content-Type appeared in random order in subsequent messages, Trustwave notes.

Moreover, headers containing random text were inserted at different positions within the email header and the email body had random HTML elements at various positions, tactics meant to help evade detection from rule-based systems.

The security researchers also discovered that many of the lure URLs used in this spam campaign were linking to compromised WordPress sites, which the attackers likely used as part of their infrastructure.

The botnet’s activity involved regular bursts followed by long periods of inactivity. This suggests that the spambot was specifically designed to periodically change templates and continue activity with a different variation in an effort to evade detection.

“At this stage, we have not pinpointed the spamming malware behind these campaigns,” Trustwave says.

Some of the spam variants employed by the botnet include Google personal or private messages, email account security alerts, broken or undelivered email messages from a mail server, LinkedIn message and profile view notifications, FedEx delivery notifications, and airline booking invoices.

URLs embedded in the spam messages pointed to pages hosting the same JavaScript content, which then redirected users to other destinations, before getting them to the final landing page “greatexpert.su,” which hosts a shady “Canadian Pharmacy” site.

The site, which had an active e-commerce cart system to make purchases and receive payment and shipping information from customers, was recently created and registered to a free Gmail email address.

Some of the spam links were observed leading to fake Bitcoin purchase sites.

“This sophisticated and transient infrastructure powered by a powerful versatile and distributed spamming botnet enables the scammer to launch any campaign with minimum effort. As of now the nature of the spam is centered around pill spam and fake Bitcoin spam, however, this could potentially shift to serve phishing or even malware,” Trustwave concludes.

Related: New Spam Botnet Likely Infected 400,000 Devices

Related: The Expected Spike in Post-GDPR Spam Activity Hasn’t Happened