Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Stealthy StealRat Botnet Conceals Operations Behind Multiple Layers

Researchers at Trend Micro have uncovered a spam botnet using subtle tricks to increase resiliency while staying under the radar of spam fighters.

The botnet, which Trend Micro dubbed StealRat, uses a mix of compromised websites and machines as part of its operation. 

Researchers at Trend Micro have uncovered a spam botnet using subtle tricks to increase resiliency while staying under the radar of spam fighters.

The botnet, which Trend Micro dubbed StealRat, uses a mix of compromised websites and machines as part of its operation. 

“In this set up, the actual spam server is hiding behind three layers of unsuspecting victims: two compromised websites and an infected machine,” blogged Jessa De La Torre, threat response engineer at Trend Micro. “The infected machine acts as a liaison between the spam server and the compromised website. As there is no interaction between the spam and server, it will appear the email have originated from the infected machine. The spam mail itself does not spread the malware, so there is no visible link between the two as well. In essence, they have separated the core functions and minimized interactions among them to cut-off any threads that could link them to each other.”

A compromised website has the payload link and a spamming script, De La Torre explained. Typically, the payload is porn or an online pharmacy webpage. The spamming script is coded in PHP and waits for data from an infected machine, which connects to the malicious spam server to collect the spam data. The spam data includes the sender name, recipient address, backup mail server and email template.

“Another interesting behavior is that it uses the compromised website’s domain as its email service domain,” the researcher noted. “For instance, if xyz.com is hosting the spamming script, the email will appear to have come from [sender name]@xyz.com.”

“In a compromised system (infected machine), the malware component also exhibits some conspicuous traits,” De La Torre continued. “For instance, some variants attempt to cloak its network traffic by modifying the host name to google.com while receiving its instructions from its C&C server [command and control server]. If the C&C is example.com, instead of directly connecting to it, it queries for the domain’s mail server (eg. mx1.example.com) and connects there instead. The network traffic won’t show an established connection to either example.com or mx1.example.com, the hostname would appear to begoogle.com instead.”

During Trend Micro’s investigation, the company identified 85,000 unique IPs/domains that sent out spam emails in one month; discovered that each IP/domain contains an average of two spamming scripts; discovered that each infected machines sends at least 8,640 spam data to compromised websites per day; and are currently rotating around seven million email addresses to send spam to.

“While exploiting vulnerable websites to send out spam has already been exhausted by other botnets, StealRat stood out because it used simple yet subtle methods to improve the botnet’s resiliency,” the researcher blogged. “Its operators set very clear boundaries. They used compromised sites to send out spam. They also made use of compromised machines but only as mediators between the compromised sites and the spam server.”

“This allowed them to cover their tracks, as they left no clear evidence of a connection between the sites and their server. They also used legitimate mail servers and modified hosts to mask their traffic.”

“This operation certainly proves that cybercriminals are always out looking for ways to evade the security defenses,” De La Torre wrote. 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.