Noisy Spam Malware – New Cutwail Variant (Jan 16, 2014)

Updated 01/21/2014

The Dell SonicWall Threats Research team came across an aggressive spam bot that appears to be a newer variant of Cutwail, being actively served in the wild by compromised WordPress websites. The malware arrives via drive-by download and upon infection facilitates spamming of other malware families from the victim machine as instructed by the Command & Control server. The malware generates a lot of traffic on the network in what looks like an attempt to hide the integrated Tepfer infostealer’s data exfiltration and other command and control communications.

Infection Cycle:

Upon execution, the malware creates an environment variable named %SPK% with the integer value ‘3’, which is checked before proceeding with unpacking the embedded resource.

%SPK% is set to ‘3’

%SPK% is checked before the embedded PNG is read and decoded.

After memory space is allocated within the current process, the PNG is decoded into the region and execution is transferred. The malware then creates a mutex named ‘huxdeacotlag’ to prevent reinfection attempts and creates registry key to automatically execute a copy of itself which is dropped into the user’s home directory:

• HKCUsoftwaremicrosoftwindowscurrentversionrunhuxdeacotlag
• %USERPROFILE%huxdeacotlag.exe [Detected as GAV: Wigon.PH_44 (Trojan)]

The malware was seen creating additional random mutexes:

• Run 1
• Creates mutex: bqqtoqd92636
• Creates mutex: faxdkmk85433
• Creates mutex: jhxejwv40484
• Creates mutex: nafky68023
• Creates mutex: sopnl31793
• Run 2
• Creates mutex: bddjgc5987
• Creates mutex: cxiozk77429
• Creates mutex: jhxejwv40484
• Creates mutex: nafky68023

The malware is capable of infecting both 32-bit and 64-bit versions of various Microsoft Windows operating systems. We saw the malware checking for the following upon execution:

• IsWow64Process
• UndefinedOS
• Win8
• WinServer2012
• Win7
• WinServer2008R2
• WinServer2008
• Vista
• WinHomeServer
• WinServer2003R2
• WinServer2003
• WinXP64
• WinXP
• Win2K

The primary process checks for Internet connectivity as well as unfiltered access on SMTP port by attempting to connect to following mail servers:

• smtp.compuserve.com
• mail.airmail.net
• smtp.directcon.net
• smtp.sbcglobal.yahoo.com
• smtp.mail.yahoo.com
• smtp.live.com

Following a succesful check of network access, the malware downloads a second stage file and spawns several instances of svchost.exe and injects malicious code into them. If no SMTP access is found, it will not launch the spam module. If all checks are succesful, we have seen between three to five svchost processes spawned.

Three svchost.exe processes spawned directly from the main malware process.

The svchost.exe processes performing network communications.

The first instance appears responsible for generating a majority of the decoy traffic. It contains a large list of realistic User Agent strings that are used for the decoy requests.

Some of the decoy requests seen.

The second injected component appears to be a well known infostealer family – Tepfer. This module is responsible for stealing user credentials with a focus on FTP and e-mail accounts. It exits upon checking all possible applications for credentials. More detailed analysis for this family can be found in our previous SonicAlerts on Tepfer. The following is a list of applications the malware checks for credentials to steal:

FTP/Remote File Access
• Far Manager
• Ghisler Windows Commander
• Ghisler Total Commander
• Ipswitch WS_FTP
• GlobalSCAPE CuteFTP
• FlashFXP
• FileZilla Client
• FTP Navigator
• FTP Commander
• BulletProof FTP Client
• TurboFTP
• Sota FFFTP
• CoffeeCup Software
• FTPWare COREFTP
• FTP Explorer
• Frigate3
• VanDyke SecureFX
• UltraFXP
• FTPRush
• Cryer WebSitePublisher
• BitKinex
• ExpanDrive
• NCH Software ClassicFTP
• SoftX.org FTPClient
• GPSoftware Directory Opus
• CoffeeCup Software
• LeapFTP
• NetDrive
• South River Technologies WebDrive
• AceBit
• Wise FTP
• FTPVoyage
• Leech FTP
• WinFTP
• FTPGetter
• Estsoft ALFTP
• Internet Explorer
• Deluxe FTP
• Staff-FTP
• Blaze FTP
• Fresh FTP
• Global Downloader
• FTP++
• GoFTP
• 3D-FTP
• EasyFTP
• NetSarang
• FTP Now
• Robo-FTP
• LinasFTP
• Cyberduck
• NppFTP
• FTPShell
• MAS-Soft FTPInfo
• WinZip
• NovaFTP

Browsers

• FireFox
• Flock Browser
• Opera
• Chrome
• Chromium
• Bromium
• Nichrome
• Comodo
• RockMelt
• K-Meleon
• FastStone Browser
• ChromePlus

Mail Clients

• Windows Mail
• Windows Live Mail
• IncrediMail
• Pocomail
• The Bat!
• Microsoft Outlook
• ThunderBird

Other

• PuTTY

We are still investigating the full functionality of the last module injected into svchost.exe, but it appears to be the module that performs the spamming. This module has also been seen running in multiple svchost processes simultaneously. We will provide an update with more information on this module’s functionality.

Among the many HTTP requests observed, it seemed that the amount of traffic may be an attempt to obscure a smaller number of interesting communications. This response from ‘budbad.com’ featured a very large HTML comment of data in base64 encoding, and the comment itself is at the end of a very long and boring looking HTML page. Further analysis has confirmed this is the encrypted second stage that is downloaded before svchost.exe processes are spawned:



Below is a small sample of SMTP and HTTP connections observed making up the decoy traffic.

• 144.76.136.216:25
• 321equipment.com:80 (74.86.251.210)
• 78rpm.net:80 (210.172.144.178)
• absolument-feminin.com:25 (46.105.105.199)
• absolument-feminin.com:80 (46.105.105.199)
• coe.pku.edu.cn:80 (162.105.5.245)
• dkhw.de:25 (213.239.241.139)
• dkhw.de:80 (213.239.241.139)
• esra.edu:80 (87.98.251.33)
• fotowork.ca:25 (74.208.96.241)
• fotowork.ca:80 (74.208.96.241)
• fraser-high.school.nz:80 (210.48.67.144)
• jeinsurance.com:25 (69.160.74.51)
• jeinsurance.com:80 (69.160.74.51)
• justconnect.co.za:80 (5.9.122.172)
• kagazy.kz:25 (95.57.120.55)
• lazos.org.mx:80 (209.172.57.153)
• macons.co.in:25 (174.132.183.227)
• macons.co.in:80 (174.132.183.227)
• ompgp.co.jp:80 (204.227.165.46)
• panoramamcc.org.au:25 (180.150.134.33)
• panoramamcc.org.au:80 (180.150.134.33)
• pbp.sieradz
  .pl:80 (94.152.8.28)
• quanta.org.uk:25 (198.91.82.109)
• quanta.org.uk:80 (198.91.82.109)
• rea-soft.ru:80 (78.47.135.34)
• schiedel.it:80 (217.145.99.26)
• sdlp.ie:80 (141.101.117.223)
• vitrea.pl:25 (212.85.125.160)
• vitrea.pl:80 (212.85.125.160)
• zuisousha.co.jp:25 (210.136.185.51)
• zuisousha.co.jp:80 (210.136.185.51)

Recent activity of this threat in the wild:


The following HeatMap shows the geographic distribution of this attack:


Dell SonicWALL UTM appliance provides protection against this threat with the following signature:

• GAV: Wigon.PH_44 (Trojan)
• IPS: 9828 Cutwail Infection Activity 1
Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.