By Augusto Remillano II
One of our honeypots detected a spam campaign that uses compromised devices to attack vulnerable web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to web servers. The script sends an email with an embedded link to a scam site to specific email addresses.
While some of the samples we found were for spamming and for redirecting users to cryptocurrency scam sites, the spam botnet’s routine may be used to spread malware to more systems and vulnerable servers. Given the use of compromised devices for sending malicious links, attribution to a specific group or attacker would be more difficult if this were used for bigger attacks. Furthermore, the probable use of a PHP web shell and functions does not only allow for intrusion and infection — it also allows the attacker to access the servers again even after the exploited flaw is patched. Active since May, the campaign targets users based in the U.K.
Figure 1. Spam campaign attack chain
The malicious actors begin the campaign by gaining SSH access to a device via brute force, after which port forwarding is used to send a malicious PHP script in some web servers.
Figure 2. Attacker gaining SSH access to the honeypot via brute force
From the compromised device, data is sent to the target web servers – a base64-encoded string (detected by Trend Micro as Trojan.PHP.MAILER.A), which we extracted and saved to a file. From our analysis, we found that start_cache1.php is likely a crafted PHP web shell used to interpret the attacker’s shell commands, while the script path /wp-snapshots/tmp/start_cache1.php indicates that it is a compromised WordPress site. This means the attackers can continue to have access to the infected server even if a vulnerability has been patched. In addition, based on the decoded PHP script, a spam mail is sent to specific email addresses, as shown in the last portion of the snippet in Figure 4.
Figure 3. Base64-encoded PHP script
Figure 4. A spam mail snippet with the targeted email address
Other functions include register_shutdown_function, which enables a function after the script is done executing. This abuses the PHP callback “Register Shutdown Function Webshell,” which has been previously documented in another malicious routine that installs a backdoor.
Figure 5. Other functions in the PHP script
Figure 6. Spam mail sample with embedded link
The spam mail sent from the compromised web servers contains links that redirect to a scam site. While they look similar, the links redirect to different websites and seem to particularly target users based in the U.K. who may be looking for jobs and extra income sources.
Figure 7. Clicking on the link in the email redirects the user to spoofed sites
Figure 8. Another example of a spoofed site
Clicking any of the links in the scam site redirects users to a signup page for a cryptocurrency trading website. The service is allegedly free, but users are asked to fund their accounts with US$250 as “seed money.”
Figure 9. Cryptocurrency trading scam site
Figure 10. Website asking for seed money to start trading
The malicious actors behind this campaign are no amateurs: By using compromised devices, they make it harder for security researchers and analysts to trace the real origin of the attack. We suspect that the malicious actors found exposed devices by scanning for open SSH ports, then brute-forced them and used them to send the malicious PHP scripts.
Furthermore, the scam sites spoofing legitimate news sites and cryptocurrency trading pages look convincing enough to trick potential victims who are not cautious or are keen on getting additional sources of income. With enough victims falling for the scam sites, the attackers will not only profit from seed money deposits. They also potentially gain an effective method to install more malware or backdoors and subsequently re-infect initially compromised systems despite IT teams being able to patch vulnerabilities. Compromised devices and servers get incorporated into a botnet or used for other profit-earning schemes.
And while some of the URLs were already down at the time of writing, we still caution users from clicking on embedded links in emails from unknown senders to prevent possible attacks. Default and weak passwords should be changed and unnecessary ports closed to prevent unauthorized intrusions. Users can also install a multilayered protection on all devices directly facing the internet and should update systems regularly with the vendor’s released patches to prevent malicious actors from exploiting security gaps.
Trend Micro solutions
Organizations can benefit from having Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. These can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. The Trend Micro Deep Discovery™ solution has an email inspection layer that can protect enterprises and users by detecting malicious attachments and URLs.
Trend Micro Hosted Email Security delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.
Trend Micro customers are protected via these rules:
- 4205: Register Shutdown Function Webshell – HTTP (Request)
Indicators of Compromise (IoCs)
- hxxps://clck[.]ru/HfBwo, redirecting to hxxp://bvsa[.]in/publicdeliver/rmareturns.php/kbrt/anpx/?spent=1df0b12ububx0f
- hxxps://clck[.]ru/HfCrK – inaccessible
- hxxps://clck[.]ru/HfCYQ , redirecting to hxxp://pkusk[.]com/idkadmin/ckeditor/plugins/link/images/hidpi/libraries/merkzettel/shipping_help/wfidecademail.php/zftv/ayeq/?wait=ktw1m012zhw0
- hxxp://tiny[.]cc/ekubbz, redirecting to hxxp://guidetti[.]se/wp-snapshots/tmp/handleoptin/countries/encuesta/sharethis/register/commentsmiss/busqueda.php/vtsk/sdzh/?higher=1es0xze1hzcxx20
- hxxp://tiny[.]cc/oyxbbz, redirecting to hxxp://sweetheart-exhibition[.]com/upfiles/gzip_loader.php/tka/yxrbh/?8k8s8pu0z2
With additional analysis and insights by Alvin Nieto