Malware is sometimes sent through organized, purchased infrastructure

March 10, 2017

Every so often, I wonder where malware comes from. Well, in a mechanical sense; does it come from infected machines, or from rented botnets, or what? Today we got a malware attack campaign that gave us a very clear answer: it came from dedicated, custom-built infrastructure.

Between 12:17 and 12:28 today, a cluster of four IP addresses tried to send us 376 email messages. All of them had a HELO and verified host name of confidentialdocumentdelivery.com, and the MAIL FROM was 'service-<tagged-address>@confidentialdocumentdelivery.com'. All of them that did not get rejected for other reasons had a .doc file that Sophos identifies as CXmail/OleDl-V. To make things look more tempting, they all had some common mail headers:

To: <whoever>
Subject: Confidential Documents Delivery
From: "Document Delivery" <service@confidentialdocumentdelivery.com>

(They also appear to have had valid DKIM signatures, just in case you think DKIM signatures on email are any sign of trust.)

At the time, confidentialdocumentdelivery.com was (and is) in the Spamhaus DBL, and all four IPs involved were in the Spamhaus CSS, probably among other blocklists. The four IPs in question are all in AS202053 (or), 'UpCloud Cloud Servers' according to RIPE information. Their DNS PTR records at the time were all 'confidentialdocumentdelivery.com', but they've since been recycled to other PTRs. The domain itself seems to have been registered only today, assuming I believe the whois data.

All of this makes it clear that these weren't infected machines, hijacked machines, or a rented botnet. This was a whole set of carefully built infrastructure; someone figured out and bought a good domain name, rented some VPSes, assigned DNS, configured a whole set of mail sending infrastructure (complete with VERP), and used all of this to deliberately send out malware, probably in large bulk. This was an entire organized campaign on dedicated infrastructure that was put together for this specific purpose.

(The infrastructure may or may not have been custom built. For all I know, there are people who sell spammers the service of 'I will set up your sending infrastructure; you provide the domain name and some VPSes and so on'. And if it was custom built, I suspect that the malware gang responsible for this will reuse much of the software configurations and so on for another malware barrage.)

The thing that puzzles me is why you would go through all of the effort to plan and develop this, execute the plan at good speed and with solid organization (if the domain was only registered today), and yet use malware that Sophos and presumably other could already recognize. According to Sophos's page, recognized versions of this have been around since January, which I suspect is an eternity in terms of malware recognition.

(For the curious, the four IPs are 94.237.24.77, 94.237.30.162, 94.237.30.163, and 94.237.30.164. Out of those two /24s, 94.237.30.112 and 94.237.30.153 are also currently on the Spamhaus CSS.)


Comments on this page:

By dozzie at 2017-03-10 03:23:46:

Actually it's not that hard to deploy such thing when it is highly repeatable, and it probably is repeatable in the case of spammers. They probably have a bunch of Ansible or Puppet or Chef rules and just execute that on a new spam cluster/domain.

By liam at unc edu at 2017-03-10 08:42:52:

If they use known malware I suspect they are targeting hosts that are carelessly run - which are probably more valuable than ones with up to date virus checking, malware filtering etc. After all if you can get old malware on then you can probably get anything else you want to use on.

Written on 10 March 2017.
« I wish you could whitelist kernel modules, instead of blacklisting them
Your live web server probably has features you don't know about »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Mar 10 01:32:21 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.