O especialista da Vertek Corporation identificou o servidor C & C enquanto investigava uma recente campanha de malware distribuindo uma versão do trojan Trik. O código malicioso foi usado como um malware de primeiro estágio que foi usado para soltar o ransomware GandCrab v3.
“It is not especially sophisticated or complex but has been active for almost a decade, flying under the radar and attracting a solid customer base of threat actors.” reads the analysis published by Proofpoint.
“As we began tracking this botnet more closely, we discovered that a number of familiar actors were repeatedly leveraging Trik’s power and distribution capabilities for delivery of their malware.”
Ambos os malwares descarregaram os arquivos mal-intencionados de um servidor mal configurado localizado na Russia.
O conteúdo do servidor podia ser acedido por qualquer pessoa. O especialista durante a sua investigação descobriu 2201 ficheiros de texto, rotulados seqüencialmente de 1.txt a 2201.txt contendo pedaços de aproximadamente 20.000 endereços de e-mail, cada um.
The Vertek researcher believes the operators of this server have been using these recipient lists to service other crooks who contracted their services to distribute various malware strains via malspam campaigns.” reported Bleeping Computer.
“We pulled all of them to validate that they are unique and legitimate,” the researcher told Bleeping Computer earlier today. “Out of 44,020,000 potential addresses, 43,555,741 are unique.”
O investigador partilhou o seu trabalho com o popular especialista em segurança Troy Hunt, que mantém o serviço Have I Been Pwned.
A grande maioria dos endereços de e-mail s\ao antigos (Yahoo (10,6 milhões) e AOL (8,3 milhões)).
“Surprisingly, while there are many custom email domains included in the leak, there are very few Gmail addresses included, suggesting the email addresses database is either incomplete, or this malware campaign intentionally targeted users using older email services.” continues Bleeping Computer.
Below the Top 10 email domains included in the leaked data:
- 8907436 yahoo.com
- 8397080 aol.com
- 788641 comcast.net
- 433419 yahoo.co.in
- 432129 sbcglobal.net
- 414912 msn.com
- 316128 rediffmail.com
- 294427 yahoo.co.uk
- 286835 yahoo.fr
- 282279 verizon.net
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.