Big Box LatAm Hack (2nd part - Email Brute-force and Spam)

To complement the already mentioned findings, the same cybercriminal's server contains additional interesting things but before mentioning them, I want to give a little bit more information about the email database used to spam victims to infect them with the Betabot malware.

E-mail database
How big is the list of email addresses to spam victims? It has 8,689,196 different addresses.  It is a very complete database. Even if only 10% of the machines of the people included in this list get infected, cybercriminals would gain more than 800,000 infected PCs!

The geographic distribution of the emails is already published here. If we just look at the number of the most interesting domains belonging to governments, educational institutions and such used to spam and to infect, they are still very high numbers:

Domain    number of emails
org            13772
edu            2015
gov            1575
gob            312

Spamming techniques
Most spam today is sent by botnets; however this is not what the gang behind this server is using. In this case, spam messages are sent via the app called "spam.exe"

[Path] / filename                              MD5 sum
-------------------------------------------------------------------------------
spam.exe                                       dd77b464356a7c9de41377004dd1fa35

When it is running, it asks for the password (below) and then needs a special parameter, which is a plain text file.
208216035

208216036

The original parameter file is this one:
208216037

It accepts parameters like the number of threadsfromsubjectbody of the message, file to attach,reply-to and smtp server to use. There is a string inside of the compiled code pointing to the sources of the project:

j:hackdevspamspamobjReleasespam.pdb

When this server was discovered, cybercriminals already had the next email ready to send to their victims:
208216038

Translation from Spanish: "User, From: +519825**** A friend has just sent you a MMS message via the Claro Web site, the message will be automatically deleted in 72 hours. Download the message now. ID: CLARO, LA RED [The Network] where everything is possible."

The original malicious URL embedded into the message is this:
208216039

As I mentioned, the last parameter of "spam.exe" malicious mailer is the smtp server. Cybercriminals have collected 2,093 different not properly secured email servers around the world. This includes email servers from China, USA, Japan, Indonesia, Russia, Italy, Romania, Netherlands, Germany, Belorussia, Kazakhstan, Vietnam, Hong Kong, Ireland, Brazil, Greece, Chile, Czech Republic, Belgium, Philippines, Denmark, Sweden, Ukraine, Hungary, Canada, Malaysia, Poland, Peru, Taiwan, France, Korea, Spain and many others.
208216040

How did cybercriminals get so many misconfigured servers from around the world?

KISS
This is the name of the module used to attempt smtp servers if these have  default accounts with the same default passwords. In other words, it is a brute force application to test smtp connections.

[Path] / filename                              MD5 sum
-------------------------------------------------------------------------------
kiss.exe                                       3a5d79a709781806f143d1880d657ba2 

This is an app built inside of the same project; the string from the code confirms it:

J:hackdevbrutobjx86Releasekiss.pdb

Once running, it asks for the password, which is the same as for the "spam.exe" application. It accepts four parameters: threadsips, logins/password and email.
208216041

When I found these resources, cybercriminals had in the IPS parameter file 1,519,403 IP addresses in queue to brute force!
208216042

While the list of logins/passwords had the next combinations:
208216043

One interesting thing is that cybercriminals did not want to brute-force all and any domains so they included an exclusion list, which allows "kiss.exe", to skip and not to brute-force the next domains:

Domains excluded from brute-forcing

Looks like they just did not want to attract too much attention, especially from governments, while brute-forcing.

Did I find other interesting things on that server? Yes, and I will post that in the next and  last part of the series Big Box Latam Hack.
Kaspersky Anti-Virus detects "spam.exe" and "kiss.exe" as Email-Flooder.MSIL.Agent.r andHackTool.MSIL.BruteForce.ba respectively.

Conclusions
Cybercriminals from different regions may operate in a similar but yet different ways. This case is a good example as it shows how cybercriminals from Latin America, with no access to zombie machines, tried to find as many weak configured smtp servers as possible  all around the world to distribute spam. This technique did not decrease their potential reach in terms of the number of victims nor their geographic location. Sometimes simple "solutions" work efficiently and we - as researchers - do not only have to focus on botnet-like activities.

As mentioned in the previous post, there is evidence cybercriminals from South America are in touch with cybercriminals from Eastern Europe and the worst part is that they are using mixed techniques: some codes from their European counterparts with others that are locally developed.

You may follow me on twitter: @dimitribest

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *