Numerous spam messages lately despatched from the identical botnet had been noticed that includes randomized headers and even completely different templates, with some emails resembling phishing, Trustwave stories.
Emails despatched as a part of this marketing campaign, which Trustwave safety researchers check with as Chameleon, originated from all world wide (a listing of supply IP addresses has been posted on-line).
Initially, the messages claimed to reach from an ex-colleague and appeared to hyperlink to a “job posting” or “job supply.” New spam waves, nevertheless, included systematically completely different messages.
The spam messages had related distinctive e-mail header and physique traits, suggesting that they got here from the identical botnet.
Regardless of originating from geographically distributed sources, the messages used related distinctive SMTP transaction instructions on connection and had a brief and significant e-mail topic, in addition to a short e-mail physique, though it sounded vital sufficient to hopefully persuade the sufferer to click on on the hyperlink.
The e-mail header in these messages had distinctive options too, corresponding to the truth that fields like From, To, Message-ID, Content material-Switch-Encoding and Content material-Kind appeared in random order in subsequent messages, Trustwave notes.
Furthermore, headers containing random textual content had been inserted at completely different positions inside the e-mail header and the e-mail physique had random HTML parts at numerous positions, ways meant to assist evade detection from rule-based methods.
The safety researchers additionally found that lots of the lure URLs used on this spam marketing campaign had been linking to compromised WordPress websites, which the attackers doubtless used as a part of their infrastructure.
The botnet’s exercise concerned common bursts adopted by lengthy intervals of inactivity. This means that the spambot was particularly designed to periodically change templates and proceed exercise with a distinct variation in an effort to evade detection.
“At this stage, we’ve not pinpointed the spamming malware behind these campaigns,” Trustwave says.
A few of the spam variants employed by the botnet embody Google private or non-public messages, e-mail account safety alerts, damaged or undelivered e-mail messages from a mail server, LinkedIn message and profile view notifications, FedEx supply notifications, and airline reserving invoices.
The location, which had an energetic e-commerce cart system to make purchases and obtain fee and transport data from prospects, was lately created and registered to a free Gmail e-mail handle.
A few of the spam hyperlinks had been noticed resulting in pretend Bitcoin buy websites.
“This refined and transient infrastructure powered by a strong versatile and distributed spamming botnet allows the scammer to launch any marketing campaign with minimal effort. As of now the character of the spam is centered round tablet spam and pretend Bitcoin spam, nevertheless, this might doubtlessly shift to serve phishing and even malware,” Trustwave concludes.
Ionut Arghire is a world correspondent for SecurityWeek.
Earlier Columns by Ionut Arghire: