internals of a spam distribution botnet · internals of a spam distribution botnet who am i?...
TRANSCRIPT
![Page 1: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/1.jpg)
JOSE MIGUEL ESPARZA
INTERNALS OF A SPAM DISTRIBUTION BOTNET
![Page 2: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/2.jpg)
2
INTERNALS OF A SPAM DISTRIBUTION BOTNET
WHO AM I?
@EternalToDo
• Jose Miguel Esparza
• Head of Threat Intelligence at Blueliv
• Ex Fox-IT and S21sec
• Malware and Threat Analysis
• Gathering intelligence from botnets & actors
• Relations with industry peers and LEAs
![Page 3: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/3.jpg)
3
INTERNALS OF A SPAM DISTRIBUTION BOTNET
• Jose Miguel Esparza
• Head of Threat Intelligence at Blueliv
• Ex Fox-IT and S21sec
• Malware and Threat Analysis
• Gathering intelligence from botnets & actors
• Relations with industry peers and LEAs
• Collaboration is key in the fight against cybercrime!
WHO AM I?
@EternalToDo
![Page 4: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/4.jpg)
TLP: WHITE
▪ Introduction to spam distribution botnets
▪ Onliner Spambot: evolution and insights
▪ Actor behind Onliner Spambot
▪ Wrapping up
INTERNALS OF A SPAM DISTRIBUTION BOTNET
AGENDA
4
![Page 5: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/5.jpg)
TLP: WHITE
▪ Botnets used to distribute spam
▪ Malware (links or attachments)
▪ Phishing
▪ Simple spam: pharma, viagra, dating, porn, etc
▪ Most of them send the required data from the C&C:
▪ Template
▪ Senders / Credentials
▪ Recipients
▪ Links / Attachments
▪ Headers
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
5
![Page 6: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/6.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Necurs
▪ Emotet
▪ Onliner Spambot
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
6
![Page 7: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/7.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Necurs
▪ Well-known spam botnet
▪ Huge P2P botnet
▪ Used by Dridex/Locky in the past, among others (ARS Loader, next talk!)
▪ Still active, currently spreading pharma/viagra spam
▪ Spamming URLs pointing to pharma/viagra sites
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
7
![Page 8: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/8.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
8
![Page 9: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/9.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Necurs
▪ Not using valid credentials but open relay servers (apparently still a thing)
▪ Spam volume: 372K/day → 15K/hour → 260/min → 4/sec
▪ 4.6M different URLs pointing to SPAM →Almost a new URL per e-mail!
▪ 212K different sender e-mails → ~25 emails per sender
▪ ~10 different recipients per email
▪ Recipients are mainly Hotmail and Yahoo e-mails
▪ Mostly auto-generated e-mail addresses
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
9
![Page 10: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/10.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Necurs
▪ Not using valid credentials but open relay servers (apparently still a thing)
▪ Spam volume: 372K/day → 15K/hour → 260/min → 4/sec
▪ 4.6M different URLs pointing to SPAM →Almost no duplicates!
▪ 212K different sender e-mails → ~25 emails per sender
▪ ~10 different recipients per email
▪ Recipients are mainly Hotmail and Yahoo e-mails
▪ Mostly auto-generated e-mail addresses
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
10
![Page 11: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/11.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
11
![Page 12: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/12.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
12
andyunde + xxx @hotmail.com
![Page 13: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/13.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Emotet
▪ Reborn as malware distribution service
▪ Usual droppers are PDF/DOCs
▪ Usual payloads are TrickBot, Bokbot/IcedID, PandaBanker…
▪ Plus Emotet itself (self-propagation)
▪ Modular
▪ Stealer: credentials and e-mail addresses collector
▪ Spammer
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
13
![Page 14: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/14.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Emotet
▪ Using stolen credentials (valid and not so valid) to send spam
▪ Spam volume: 185K/day → 7.7K/hour → 128/min → 2/sec
▪ Using attachments (PDF/DOC) and download links
▪ 50K different sender e-mails → ~90 emails per sender/credential
▪ 15K different domains
▪ ~65% generic TLDs like .com, .org, .net…
▪ ~8% LatAm
▪ ~6% German domains
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
14
![Page 15: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/15.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Emotet
▪ Just 1 recipient per email
▪ Same subject used for ~15 different recipients
▪ TAX, IRS, Invoice, Order, Payment, Bestellungseingang…
▪ Recipients are mainly corp e-mail addresses
▪ Some auto-generated e-mail addresses
▪ 1.2M different domains
▪ ~70% generic TLDs like .com, .org, .net…
▪ ~10% German domains
▪ ~2.5% UK
▪ ~2% US +CA
▪ Sometimes more geolocated like German campaigns
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
15
![Page 16: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/16.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
16
![Page 17: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/17.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Onliner Spambot
▪ Not so well-known until…
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
17
![Page 18: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/18.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
18
![Page 19: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/19.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
19
![Page 20: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/20.jpg)
TLP: WHITE
▪ Spam distribution botnets in current landscape
▪ Onliner Spambot
▪ Not so well-known until…
▪ Using compromised credentials to send spam
▪ Used as a “bases” checker (SMTP/IMAP credentials)
▪ Mainly distributing malware (phishing in some cases)
INTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
20
![Page 21: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/21.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
21
![Page 22: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/22.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
ACTOR BEHIND ONLINER SPAMBOT
22
![Page 23: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/23.jpg)
TLP: WHITE
▪ Price was 350$ (monthly fee) + 50$/new module
▪ Capabilities include sending 2 emails/minute with 1 recipient
▪ Faster using cc (of course)
▪ Supplying builder/panel but activation needed
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ACTOR BEHIND ONLINER SPAMBOT
23
![Page 24: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/24.jpg)
TLP: WHITE
▪ Supplying builder/panel but activation needed
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ACTOR BEHIND ONLINER SPAMBOT
24
![Page 25: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/25.jpg)
TLP: WHITE
▪ Quite likely Russian origin (surprise!! ;p)
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ACTOR BEHIND ONLINER SPAMBOT
25
![Page 26: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/26.jpg)
TLP: WHITE
▪ Modular approach▪ Main exe downloading encrypted DLLs (modules)
▪ A different module for a different functionality
▪ Extra module, extra $$$
▪ Modules▪ Mailer (base)
▪ SMTP Checker (base)
▪ Brute SMTP
▪ Brute Admin Panel
▪ IMAP Checker
▪ Socks Checker
▪ Shells
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
26
![Page 27: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/27.jpg)
TLP: WHITE
▪ Communication with C&C
▪ HTTP traffic
▪ Mix of GET and POST requests
▪ Base64 for some parameters
▪ Numeric parameters → Not easy to find out the functionality
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
27
![Page 28: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/28.jpg)
TLP: WHITE
▪ Communication with C&C
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
28
![Page 29: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/29.jpg)
TLP: WHITE
▪ Communication with C&C
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
29
![Page 30: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/30.jpg)
TLP: WHITE
▪ Communication with C&C
1. Request to download modules (?dll=xxx)
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
30
Simple XOR encryption
![Page 31: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/31.jpg)
TLP: WHITE
▪ Communication with C&C
1. Request to download modules (?dll=xxx)
2. Each module
1. Using GET parameter to identify the module (?1001=xxx)
▪ 1001=1 → BruteSMTP
▪ 1001=2 → CheckerSMTP
▪ 1001=3 → BruteAdminPanel
▪ 1001=4 → MailerSMTP
▪ 1001=5 → CheckerIMAP
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
31
![Page 32: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/32.jpg)
TLP: WHITE
▪ Communication with C&C
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
32
CheckerSMTP
![Page 33: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/33.jpg)
TLP: WHITE
▪ Communication with C&C
1. Request to download modules (?dll=xxx)
2. Each module
2. Request to download necessary legitimate DLLs (?f1=mydll)
▪ libeay32.dll (SSL)
▪ ssleay32.dll (SSL)
▪ 7z.dll (7zip)
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
33
![Page 34: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/34.jpg)
TLP: WHITE
▪ Communication with C&C
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
34
![Page 35: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/35.jpg)
TLP: WHITE
▪ Communication with C&C
1. Request to download modules (?dll=xxx)
2. Each module
3. Requests to receive tasks (zip files)
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
35
![Page 36: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/36.jpg)
TLP: WHITE
▪ Communication with C&C
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
36
![Page 37: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/37.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
37
![Page 38: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/38.jpg)
TLP: WHITE
▪ Modules: SMTP checker
▪ Criminal uploads a huge list of SMTP credentials
▪ The botnet automatically splits that in pieces and send them to bots (zips)
▪ Numeric parameters in HTTP POST are timeouts, intervals, error trackers, etc
▪ Each bot will send one e-mail per credential to a control e-mail address
▪ This control e-mail account is checked waiting for a given sender
▪ If messages arrives the credential is good, so it is added to a “good” list
▪ It tracks errors too
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
38
![Page 39: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/39.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
39
5.5 million SMTP credentials
![Page 40: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/40.jpg)
TLP: WHITE
▪ Modules: SMTP checker
▪ List of credentials (“bases”) bought in underground markets
▪ Checked: 50 corp accounts = 150$WMZ / 175$ BTC
▪ Unchecked: 1000 corps/biz(.com) = 350$WMZ / 385$ in BTC (much cheaper!)
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
40
![Page 41: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/41.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
INTRODUCTION TO SPAM DISTRIBUTION BOTNETS
41
![Page 42: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/42.jpg)
TLP: WHITE
▪ Modules: Mailer
▪ Uses the list of good credentials resulting from the SMTP Checker
▪ Dispatches tasks to the bots sending:
▪ A set of credentials / senders
▪ List of recipients
▪ A template
▪ Mail headers
▪ Mail from
▪ Mail subject/topic
▪ Attachments links
▪ Bots send e-mail to control account and then to other recipients
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
42
![Page 43: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/43.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
43
![Page 44: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/44.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
44
Databases
![Page 45: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/45.jpg)
TLP: WHITE
▪ Modules: Mailer
▪ Used in the past to distribute Gozi in Italy/Canada (Benkow, 2017)
▪ Currently being used by a Canadian actor to steal credentials
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
45
![Page 46: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/46.jpg)
TLP: WHITE
▪ Modules: Mailer
▪ Used in the past to distribute Gozi in Italy/Canada (Benkow, 2017)
▪ Currently being used by a Canadian actor to steal credentials (AirNaine)
▪ Research presented at VirusBulletin 2018 in Montreal (Canada)
▪ https://www.virusbulletin.com/conference/vb2018/abstracts/ars-vbs-loader-cause-size-doesnt-matter-
right
▪ https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
46
![Page 47: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/47.jpg)
TLP: WHITE
▪ Actor campaigns
▪ 2018
▪ Distribution method: Onliner Spambot
▪ Dropper: ZIP + Obfuscated Visual Basic Script or JavaScript
▪ Payload: ARS Loader / ZeroEvil
▪ Additional payload: DarkVNC / ARS Plugins / SmokeLoader / ZeroEvil
INTERNALS OF A SPAM DISTRIBUTION BOTNET
CASE STUDY: CANADIAN ACTOR USING ONLINER
47
![Page 48: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/48.jpg)
TLP: WHITE
▪ Actor campaigns
▪ 2018
▪ Distribution method: Onliner Spambot
▪ Recipients
▪ Sent to ~10K different e-mail addresses in 3 months
▪ More than 90% of those addresses were using a .ca TLD
INTERNALS OF A SPAM DISTRIBUTION BOTNET
CASE STUDY: CANADIAN ACTOR USING ONLINER
48
![Page 49: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/49.jpg)
TLP: WHITE
▪ Actor campaigns
▪ 2018
▪ Distribution method: Onliner Spambot
▪ Payload URLs
▪ Using compromised websites to host the malicious payload
▪ Always changing websites and including more than one per campaign
▪ 95% of those URLs using new domains (~950)
▪ Almost 1,000 different payload URLs in 3 months
▪ Almost 70% of those domains using a .ru TLD
INTERNALS OF A SPAM DISTRIBUTION BOTNET
CASE STUDY: CANADIAN ACTOR USING ONLINER
49
![Page 50: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/50.jpg)
TLP: WHITE
▪ Actor campaigns
▪ 2018
▪ Distribution method: Onliner Spambot
▪ Payload filenames
• CCUA.zip• CanadaPost-Tracking.zip
• CanadaPost.zip• CoastCapitalSavings.zip
• Purolator-Label.zip• Purolator-Shipment.zip
• Purolator-Tracking.zip• Purolator.zip• e-Transfer.zip
• savingsStatements.docx
INTERNALS OF A SPAM DISTRIBUTION BOTNET
CASE STUDY: CANADIAN ACTOR USING ONLINER
50
![Page 51: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/51.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
51
![Page 52: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/52.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
52
![Page 53: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/53.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
53
![Page 54: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/54.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
54
![Page 55: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/55.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
55
![Page 56: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/56.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
56
![Page 57: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/57.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
57
![Page 58: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/58.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
58
![Page 59: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/59.jpg)
TLP: WHITE
▪ Actor campaigns
▪ 2018
▪ Distribution method: Onliner Spambot
▪ Dropper: ZIP + Obfuscated Visual Basic Script or JavaScript / Phishing!
▪ Payload: ARS Loader / ZeroEvil
▪ Additional payload: DarkVNC / ARS Plugins / SmokeLoader / ZeroEvil
INTERNALS OF A SPAM DISTRIBUTION BOTNET
CASE STUDY: CANADIAN ACTOR USING ONLINER
59
![Page 60: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/60.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
60
![Page 61: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/61.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
61
![Page 62: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/62.jpg)
TLP: WHITE
▪ Actor modus operandi
▪ Buy SMTP credentials and Canadian corp e-mail addresses
▪ Check credentials using Onliner SMTP Checker module
▪ Spread malware using Onliner Mailer module
▪ Objective of using malware is to steal banking credentials
▪ Connect to online banking to find a way to commit fraud
INTERNALS OF A SPAM DISTRIBUTION BOTNET
CASE STUDY: CANADIAN ACTOR USING ONLINER
62
![Page 63: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/63.jpg)
TLP: WHITE
▪ New worker/loader appears at the end of March 2018
▪ This worker replaces the main Onliner executable
▪ It doesn’t communicate with the C&C to grab module DLLs
▪ Typical loader scheme: sending a URL to download and execute
▪ Still using same DLL encryption (XOR)
▪ Configurable from the C&C, as usual
▪ Specific countries, bot ids, interval checks…
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
63
![Page 64: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/64.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
64
![Page 65: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/65.jpg)
TLP: WHITE
▪ But how is Onliner being spread?
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
65
![Page 66: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/66.jpg)
TLP: WHITE
▪ But how is Onliner being spread?
▪ In the past using Spam+JSDropper (Benkow, 2017)
▪ Buying installs in the underground market
▪ Lately we have seen SmokeLoader spreading the Onliner worker too
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
66
![Page 67: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/67.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
67
1K Mix World installs: 70$
1K Mix Europe installs: 400$
![Page 68: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/68.jpg)
TLP: WHITE
▪ But how is Onliner being spread?
▪ In the past using Spam+JSDropper (Benkow, 2017)
▪ Buying installs in the underground market
▪ Lately we have seen SmokeLoader spreading the Onliner worker too
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
68
![Page 69: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/69.jpg)
TLP: WHITEINTERNALS OF A SPAM DISTRIBUTION BOTNET
ONLINER SPAMBOT: EVOLUTION AND INSIGHTS
69
![Page 70: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/70.jpg)
TLP: WHITE
▪ Spam-distribution botnets still used today
▪ More widely used now than when Exploit Kits were more popular
▪ Used to distribute malware, but also phishing and simple spam
▪ Some examples: Necurs, Emotet, Onliner Spambot…
▪ Onliner Spambot keeps evolving and improving
▪ New approach to load modules (worker)
▪ Actor is still taking care of it, not offering that publicly though
▪ Tracking spam-distribution botnets gives lots of insights
▪ Payloads, target geolocation, relation between threat actor groups…
INTERNALS OF A SPAM DISTRIBUTION BOTNET
WRAPPING UP
70
![Page 71: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/71.jpg)
TLP: WHITE
▪ Botconf
▪ Blueliv Labs team (you rock!)
▪ Research community (Benkøw)
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ACKNOWLEDGEMENTS
71
![Page 72: INTERNALS OF A SPAM DISTRIBUTION BOTNET · INTERNALS OF A SPAM DISTRIBUTION BOTNET WHO AM I? @EternalToDo •Jose Miguel Esparza •Head of Threat Intelligence at Blueliv • Ex Fox-IT](https://reader036.vdocument.in/reader036/viewer/2022081613/5fb7f2c2507fd7427a0e0783/html5/thumbnails/72.jpg)
TLP: WHITE
▪ Botconf
▪ Blueliv Labs team (you rock!)
▪ Research community (Benkøw)
▪ Collaboration is key in the fight against cybercrime!
INTERNALS OF A SPAM DISTRIBUTION BOTNET
ACKNOWLEDGEMENTS
72