Spambot weaponises 711M accounts to spread Ursnif malware

News by Robert Abel

A Paris-based security researcher, Benkow, spotted a massive spambot, dubbed Onliner, weaponising 711 million email and server accounts to distribute phishing emails laced with malware looking to steal user data.

A Paris-based security researcher, by the pseudonym Benkow spotted a massive spambot, dubbed Onliner, weaponising 711 million email and server accounts to distribute phishing emails laced with malware looking to steal user data.


Benkow discovered the spambot on an open and accessible web server hosted in the Netherlands, that was being used to store dozens of text files containing the email addresses, passwords, and email servers used to send spam messages.

The spambot was collecting stolen email credentials and server login info stemming from previous data breaches, such as the LinkedIn and Badoo hacks, as well also other unknown sources in order to send the emails through “legitimate servers” in an attempt to circumvent spam filters, according to a ZDNet report.

The spambot used 80 million of the compromised email servers to send spam emails to the remaining 630 million targets emails to “fingerprint” potential victims to find ones that were using Windows computers to ultimately spread Ursnif malware, iPhone or Android users aren't affected by the malware.

The malware arrives as an attachment via malicious email which then drops component files onto infected systems and creates auto start registries to ensure automatic execution startup. The attachment then injects itself into certain processes and infects files with certain extensions and of certain types. Finally the malware grabs the system's information and sends it to a Control and Command server.

Campaigns like this which are designed to bypass spam filters and spoof legitimate sources are without a doubt more effective than traditional phishing attacks, Bitglass product manager Salim Hafid told SC Media.

“These targeted attacks, where malware is delivered to millions of individuals, can spread at higher rates and yield more information,” Hafid said.

Benkow and independent researcher Troy Hunt have been in touch with a trusted source in the Netherlands who is communicating with law enforcement in an attempt to shut down the command and control server, Hunt said in a 30 August blog post.

The spambot is a reminder that data breaches don't end after the public disclosure, Cylance senior research Scientist Jim Walter told SC Media.

“Leaked/breached data can continue to live on and be used, reused, sold, re-sold, etc. for purposes just as described here,” Walter said. “Any organisation that is not aware of and closely following OSINT specific to their company/brand/intellectual property/etc. is bound to fall victim to continued use of their data or infrastructure for ongoing malicious activity.”

Walter added the real takeaway from the scenario should be to educate and remind everyone of the permanence of leaked data and of the need to not only defend your organisation, but also monitor the ‘ether' for continued misuse of data and resources.

One researcher pointed out the situation is unsettling as it demonstrates how cyber-criminals aren't protecting user stolen user data.  

“Some may think the bad guy has no motivation to protect our data, but they do,” STEALTHbits Technologies researcher Jonathan Sander told SC Media. “The amount and how well enriched their data set is becomes their competitive advantage in a crowded black market.”

Similar to  how people like using Google more than other search engines because of the platform's huge reach, the black market has brands that stake their reputation on having the biggest database of quality, stolen data, Sander said adding that it's disheartening that criminals would fail to secure the ill-gotten goods.


 Brian Laing, VP at Lastline  warns that, “The sheer size of the breach is alone a cause for concern, let alone the damage it could cause further down the line. This breach is an example of how hackers merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. In this instance, the majority of the passwords appear to have been collated from previous leaks, including the 2012 LinkedIn data breach. Every breach reveals data that criminals can use to launch additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data....Data breaches provide a distribution hub for malware for years to come.”

John Bambenek, threat intelligence manager at Fidelis Cybersecurity agrees, noting that, “Cyber-crime is an aggressive business, particularly among spammers, so the fact that they made a mistake that allowed access to their entire database is a rare and an unusual event. It is naïve to think that this was not also accessed by other criminal or spammer groups, as this information is of paramount value to those kinds of groups. Even then, sometimes humans make mistakes which is why it is essential to build datasets and monitoring to track their activity over the long term. These kind of mistakes are what help us get these hackers arrested so they can become guests of the local Western government's prison system.”

Ross Brewer, vice president and managing director EMEA at LogRhythm says that, “businesses also have a responsibility in helping with the clean-up process. Indeed, it's crucial they ensure they have tools in place that continuously monitors their network activity so they can detect and respond to anything malicious as soon as it happens. Whether it's a hacker attempting to gain unauthorised access by spreading malware or using genuine credentials from these two breaches (CeX as well as the Spambot), companies need to have the intelligence and insight required to flag abnormal activity straightaway.”





Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews