In the first half of the year, the spam volume increased by 60% compared to the data last 1H 2013. We can attribute these to several factors: the prevalence of DOWNAD and the steady boom of malware-related emails with spam-sending capabilities (such as MYTOB). Prevalent threats like UPATRE and ZeuS/ZBOT also employed spam as its infection vectors to deliver their payload. In our 2013 review of the spam landscape, we predicted that spam will still be used to distribute malware. This remains to be true.
Figure 1. Spam volume for Q2, 2014
Spam Attacks Target German Users
Almost 83% of all spam analyzed are written in English and the other 17% are non-English languages. The top non-English language used in spam is German followed by Japanese. We spotted spam attacks written in German that led to control panel malware (CPL). CPL malware initially affected Brazilian users earlier this year. Moreover, towards the later part of 2Q 2014, we saw the emergence of EMOTET, a banking malware that supposedly sniff network activity to steal user data. Similarly, it arrives via email messages that purport as shipping invoices and bank transfers. Based on our investigation, certain banks in Germany are included in the list of monitored websites for this threat.
Figure 2. Top5 language used in spam mails
The curious case of image and salad spam
Based on our honeypot sources, the top three spam types are malware-related (20%), health-related (16%), and commercial and stock spam (11%). We also saw a surge of stock spam in the last six months. One spam sample we spotted is a stock trading spam that informs users about trading tips that could help them get rich quickly. In terms of spam techniques, we observed that before salad words or random gibberish words are incorporated in HTML but now they are in the message body together with news clips to make it appear legitimate and to bypass spam filters. In addition, spammers are also combining not so new techniques like the use of newsclip with image spam instead of just plain image. This is done to avoid detection of spam filters.
Figure 3. Top spam categories
New and recycle spam tactics and techniques
Newsworthy events, movies, and issues remain to be effective social engineering lures to trick users into opening spam emails, which possibly can lead to data theft and system information. KULUOZ, a malware distributed by the Asprox botnet takes a different turn and steals news headlines from CNN and BBC news and placed these news snippets in the email body. We observed that they copy part of the news article together with the headline so as to bypass spam filters. The Thai Coup incident is one the many notable news leveraged by these spam campaigns. Apart from stealing headlines, this specific KULUOZ spam run employs its usual tactic of using shipping notification templates.
Another trend we observed is the abuse of popular file storage platform like Dropbox to host malware. Last May, we noticed that UPATRE-related spam utilized a Dropbox link, not only as part of its social engineering lure but also to download the malicious files. When users clicked the URL, they will point to a Dropbox link where they download UPATRE, a malware known for downloading information stealers ZeuS. The ZeuS variant that UPATRE downloads, also downloads another malware NECURS. In other samples we gathered, the Dropbox link is embedded in the message body but points to Canadian pharmacy websites. We also spotted a spammed message that abused CUBBY, another file hosting service similar to Dropbox. However, this particular spam run leads to a BANKER variant instead.
Spam and its Impact in the Threat Landscape
Based on our honeypot data, the number of malware related emails increased by 22 percent. In our previous blog post, we tackled that more than 40 percent of malware related spam mails can be attributed to machines infected by DOWNAD in Q2. Although DOWNAD or Conficker emerged as early as 2008, it remains to be a prevalent threat today. In fact, it is one of the top three malware that affects enterprises and SMBs.
UPATRE takes the lead as the top malware distributed via spam mails, followed by TSPY_ZBOT and BKDR_KULUOZ. UPATRE constitutes more than 33% of total malspam volume. However, towards June, we’re seeing a decline in the number of spam campaigns related to this malware. ZeuS ranks as one of the top sources of malspam and most malware propagated via spam.
KULUOZ downloads malware like FAKEAV and ZACCESS and can possibly turn infected systems to spam distributors. Last April, KULUOZ took advantage of the tragic news on MV Seoul maritime accident.
Figure 4. Top10 malware from spam mails
Figure 5. TROJ_UPATRE VS. Total malspam
Spam Towards the Second Half of 2014
Spam remains to be a crucial arsenal of cybercriminals in proliferating their malicious activities. We predict that in the second half of the year, the volume of spam will continue to increase. Cybercriminals may leverage upcoming holidays and events in the next quarters just like in previous years thus contributing to the spiking number of its volume.
We’ll also continue to see spam being employed as malware carriers. Furthermore, we observed that newly created domains spread via email are increasing. This is probably due to the domain generation algorithm capabilities of spam sending malware like DOWNAD. It can affect the volume of spam since one domain can be seen in a number of spam emails already.
Update as of July 22, 2014, 11:00 P.M. PDT:
We have updated Figures 2 and 4 to make the numbers presented more clearer.