By Augusto Remillano II
One of our honeypots detected a spam campaign that uses compromised devices to attack vulnerable web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to web servers. The script sends an email with an embedded link to a scam site to specific email addresses.
While some of the samples we found were for spamming and for redirecting users to cryptocurrency scam sites, the spam botnet’s routine may be used to spread malware to more systems and vulnerable servers. Given the use of compromised devices for sending malicious links, attribution to a specific group or attacker would be more difficult if this were used for bigger attacks. Furthermore, the probable use of a PHP web shell and functions does not only allow for intrusion and infection — it also allows the attacker to access the servers again even after the exploited flaw is patched. Active since May, the campaign targets users based in the U.K.
Routine
Figure 1. Spam campaign attack chain
The malicious actors begin the campaign by gaining SSH access to a device via brute force, after which port forwarding is used to send a malicious PHP script in some web servers.
Figure 2. Attacker gaining SSH access to the honeypot via brute force
From the compromised device, data is sent to the target web servers – a base64-encoded string (detected by Trend Micro as Trojan.PHP.MAILER ..
Support the originator by clicking the read the rest link below.
