Cutwail botnet’s various spam campaigns
The bot herders behind Cutwail – one of the oldest botnet that’s still alive and kicking and numbers over 1,5 million bots – have recently been spotted using a number of different approaches when spamming users.
The fake emails that its bots are currently pushing out range from fake Facebook notifications and flight ticket orders to ACH transfer cancellation orders and delivery of scanned documents.
But the one thing that all spam sent currently by Cutwail has in common is that there are no files attached to the email – embedded links are used to direct to sites serving malware.
The faux Facebook notifications usually pose as friend requests and do, at first glance, look somewhat as a legitimate notice, but the fact that the URL behind the “Confirm Friend Request” button isn’t on the social network’s domain should raise suspicions.
A similar discrepancy is present in all the other spam emails, and hovering with the mouse over the link makes it obvious for those who know what to look for.
The final destination of all the offered links are sites hosting the Blackhole exploit kit – a favorite tool of the Cutwail bot masters. And once it exploits the flaws on the victims’ computer, malware is installed. Currently, the exploit kit webpages are serving SpyEye and Bobax, but the payload changes as the botnet’s clients do.