Similar to my previous analysis, this is a multi-download, multi-machine, coordinated campaign.
170 downloads from 2019-11-01T04:32:37-0600 to 2019-11-01T07:31:44-0600. by 170 unique IP addresses.
170 accesses of URLs ending in names of downloaded files by unique IP addresses, from 2019-11-01T04:32:39-0600 to 2019-11-01T07:31:46-0600
This time there's a lot of overlap: 166 of the downloading IPs. Only 4 IP addresses that made a spam tool download did not try to access a spam tool URL. Only 4 IP addresses that accessed a spam tool URL did not try to download a spam tool. Satifyingly symmetric.
All downloads, and all but 1 subsequent access share the same two things as the first campaign, User Agent and Accept Language:
ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17
HTTP Parameters on this run also indicate the attacker(s)
thought they were downloding to 2 different targets,
a stock WSO 2.x web shell, and an apikey.php variant.
58 downloads made to a WSO 2.x web shell,
119 to an apikey.php variant.
This is a lot smaller variation in targets than the previous
campaign.
The proportion of WSO/apikey.php downloads is drastically different
from the earlier campaign.
All of the downloads were made with 1 of 4 different passwords, used indiscriminately between web shell and file gateway targets:
| Password | Count |
|---|---|
| F5d4JH6m1 | 72 |
| as | 58 |
| asdf | 80 |
| t4c3PFr5 | 18 |
Accesses start only 2 seconds after the first download. Accesses and downloads overlap.
Intervals between download and access range from 1 to 10 seconds, men of 3.05 sec, median of 2.83 sec.
There is one duplicate access, the 2nd access has a different User Agent string.
This time, 3 slighlty different spamming tools,
one that calls PHP's mail(), one calling imap_mail(),
one calling mb_send_mail().
| PHP builtin | count |
|---|---|
| 62 | |
| imap_mail | 53 |
| mb_send_mail | 55 |
- To address is always "[email protected]", same as first campaign
- Email body appears to be randomly-generated number in range 0 - 1,000,000,000
- 170 unique subject lines, double-base64-encoded, the URLs accessed
- 170 unique extra SMTP headers, this time only "From:" and "MIME-Version:" This is a simplification over the first campaign, which also include "Return-Path", "Content-Type" and "Content-Transfer-Encoding" headers
The "From" addresses look like "[email protected]", a word that's most times a real first name, concatenated with a B-list celebrity's surname, and a domain name that sometimes doesn't exist in a registry ("jkjkgf.com") but mostly does. The domain names appear to be global, with no obvious common traits.
The attacker(s) have streamlined the test emails.
Between the original and this campaign, does a mark-and-recapture population estimate make sense?
I'll use number of downloading IP addresses as the sample size
Population = (First sample size)(Second sample size)/(Number of recaptures)
Number of workers = (569)(179)/1 = 101851
This gives a nonsensical result, too.