Wandering Thoughts archives

2017-03-10

Malware is sometimes sent through organized, purchased infrastructure

Every so often, I wonder where malware comes from. Well, in a mechanical sense; does it come from infected machines, or from rented botnets, or what? Today we got a malware attack campaign that gave us a very clear answer: it came from dedicated, custom-built infrastructure.

Between 12:17 and 12:28 today, a cluster of four IP addresses tried to send us 376 email messages. All of them had a HELO and verified host name of confidentialdocumentdelivery.com, and the MAIL FROM was 'service-<tagged-address>@confidentialdocumentdelivery.com'. All of them that did not get rejected for other reasons had a .doc file that Sophos identifies as CXmail/OleDl-V. To make things look more tempting, they all had some common mail headers:

To: <whoever>
Subject: Confidential Documents Delivery
From: "Document Delivery" <service@confidentialdocumentdelivery.com>

(They also appear to have had valid DKIM signatures, just in case you think DKIM signatures on email are any sign of trust.)

At the time, confidentialdocumentdelivery.com was (and is) in the Spamhaus DBL, and all four IPs involved were in the Spamhaus CSS, probably among other blocklists. The four IPs in question are all in AS202053 (or), 'UpCloud Cloud Servers' according to RIPE information. Their DNS PTR records at the time were all 'confidentialdocumentdelivery.com', but they've since been recycled to other PTRs. The domain itself seems to have been registered only today, assuming I believe the whois data.

All of this makes it clear that these weren't infected machines, hijacked machines, or a rented botnet. This was a whole set of carefully built infrastructure; someone figured out and bought a good domain name, rented some VPSes, assigned DNS, configured a whole set of mail sending infrastructure (complete with VERP), and used all of this to deliberately send out malware, probably in large bulk. This was an entire organized campaign on dedicated infrastructure that was put together for this specific purpose.

(The infrastructure may or may not have been custom built. For all I know, there are people who sell spammers the service of 'I will set up your sending infrastructure; you provide the domain name and some VPSes and so on'. And if it was custom built, I suspect that the malware gang responsible for this will reuse much of the software configurations and so on for another malware barrage.)

The thing that puzzles me is why you would go through all of the effort to plan and develop this, execute the plan at good speed and with solid organization (if the domain was only registered today), and yet use malware that Sophos and presumably other could already recognize. According to Sophos's page, recognized versions of this have been around since January, which I suspect is an eternity in terms of malware recognition.

(For the curious, the four IPs are 94.237.24.77, 94.237.30.162, 94.237.30.163, and 94.237.30.164. Out of those two /24s, 94.237.30.112 and 94.237.30.153 are also currently on the Spamhaus CSS.)

spam/MalwareFromPurchasedInfrastructure written at 01:32:21; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.