In this blog, we draw attention to a persistent high-volume spam campaign that has been very prominent in our spam traps recently. The various campaigns emanate from the same spam botnet system and often resemble phishing messages, although they are typically not. The messages have randomized headers, and the templates often change, hence the moniker ‘Chameleon.’
We observed high volumes of spam messages sent by this botnet from 14th August 2019 till the day of publishing this blog. These spam messages originated from all over the globe as shown in Figure 1 and 2. The initial spam messages seen were variations of fake job spam messages purportedly coming from an ex-colleague having a link to the “job posting” or the “job offer” as shown in Figure 3. However, the spam messages varied almost systematically with subsequent iterations of the botnet’s outbursts.
Figure 1: Volume of Spam messages sent out by this botnet on a daily and hourly basis. The line graph shows the trends observed from mid-August to early Sept 2019
Figure 2: Pill Spam botnet traffic Geo-location Pie chart
On closer inspection, we found that these spam messages had similar unique email header and body characteristics indicating that they were being sent from the same botnet. Some unique characteristics of these messages are listed here:
Messages originated from geographically distributed sources but used similar unique SMTP transaction commands on connection.
The spam message email header had a couple of unique features. The first being that valid email header fields like "From", "To", "Message-ID", "Content-Transfer-Encoding", "Content-Type" etc. appeared ..
Support the originator by clicking the read the rest link below.
