Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Gamut Spambot Analysis

In this blog post, we'll be describing the functionality of a spamming botnet which appears to have been active since at least the first quarter of 2013. Currently, the bot's activity consists of sending job-related junk mail. We've named this spambot "Gamut" based on a string found in the malware body. At this time anti-virus detection is modest but mostly generic.

11662_c47407e6-f89b-4c7d-9185-70f4cbfffd1c
Gamut string in the malware body

 

Malware Installation:

Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service. The following registry key is added as a result of running the service:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WPUms Type = 0x00000010Start = 0x00000002ErrorControl = 0x00000000ImagePath = "path to malware executable"DisplayName = "WPUms"ObjectName = "LocalSystem" 

The sample we analyzed uses the name "WPUms" as its service name as well as its mutex name.

The malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.

Command and Control server:

After installation, it phones home to the following domain names:

  • serenaso.in.ua
  • dufoper.in.ua
  • toporung.in.ua
  • retionolo.in.ua
  • arondo.in.ua

Each of the domain names listed above point to the same hosting service provider, Avguro Technologies Ltd, based in Russia.

Domain Names

Record

Name

IP Number

Reverse

Routes

IP Location

serenaso.in.ua

dufoper.in.ua

toporung.in.ua

retionolo.in.ua

arondo.in.ua

A

serenaso.in.ua

81.177.135.113

 

81.177.128.0/18 RTCOMM-RU

AS8342 RTCOMM-AS OJSC RTComm.RU

Avguro Technologies Ltd. Hosting Service Provider

Russian Federation

MX

mail.serenaso.in.ua

mail.dufoper.in.ua

mail.toporung.in.ua

mail.retionolo.in.ua

mail.arondo.in.ua

     

NS

ns1.jino.ru

217.107.34.200

ns1.jino.ru

217.106.0.0/15 RTCOMM-RU

AS8342 RTCOMM-AS OJSC RTComm.RU

Avguro Technologies Ltd. Hosting Service Provider

Russian Federation

ns2.jino.ru

217.107.217.16

 

SOA

hostmaster.jino.ru

     

Older Gamut samples connect to the following domain names:

  • nootmet.in (217.107.219.194)
  • dodomet.in (217.107.219.194)
  • bootmeet.in (217.107.219.194)

The bot initiates by connecting to its command and control server which is hardcoded inside the bot's body:

8501_2ca96fdb-c6fd-42d5-8130-f6d3fb68e416

The bot then retrieves the SenderClient.conf file the from command and control server. The file contains the bot configuration such as the thread counts, smtp connection timeout, smtp sending timeout/attempts, etc.

8726_36cef67c-1e52-40ed-8bb6-2bb6d0ce145d

Gamut sends the following commands or actions to communicate to its control server:

Command/Actions Definition
GetIP request for infected machine's IP address
GetSubscriptionEmailsBlock get the list of email addresses which will be spammed
GetSubscriptionContent get spam template
EmailsSent report back the list of email addresseses in which spam was successfully sent
SubscriptionBlockNotSent report back the list of email addresseses in which spam was unsuccessfully sent
Port25Open tell the control server that port 25 is open
Port25Close tell the control server that port 25 is closed
GetPTR Get PTR record

The command is sent as an HTTP POST request. The screenshot below shows the command and control communication where the bot sends a GetIP command requesting the infected machine's IP address:

12565_ef1126f5-859f-43be-a90f-e548b1f633f7

If the control server fails to obtain the infected machine's IP address, then the bot sleeps for 15 seconds.

Spam Engine:

After installation, Gamut probes the infected system's SMTP port 25 by sending a test SMTP transaction to mail.ru and hotmail.com. After the SMTP test, it tells the command and control server to determine whether port 25 is open or closed.

10293_8220f4ef-6416-4d09-ba4d-b54020d469d4
The bot sends a POST request with Port25Open action when the SMTP test is successful

If the SMTP test is successful, then the bot will request the spam template and email list from the command and control server. If the test is not successful, the bot will sleep for 12 hours.

The Wireshark TCP stream screenshot below shows how the bot requests the spam template using the GetSubscriptionContent command.

10029_77cae9bc-b71e-4789-bb6b-6d259a1a5caf

If the spam template is empty or broken, the bot will sleep for 1 minute and attempts another request to the command and control server.

Here is a basic flowchart of Gamut's SMTP engine.

11516_bd001f96-df64-4d19-8146-864723a992ee

A single Gamut spambot can send at least 60,000 spam messages per day depending on the number of target email addresses received from the control server.

Spam Campaign:

It appears that Gamut's current spam campaign is actively targeting job seekers. Here is a sample spam sent by Gamut:

10699_953703f7-20c9-47ea-9fd2-375fdb99abba

Here are few of the subject subject lines that the bot may use:

A great offerA great offer of employmentA great offer of employment in our new storeA vacancy in our new store for youApplication for a vacancyApplication for a vacancy in our new storeEmployee neededMore opportunitiesMore opportunities of employmentMore opportunities of employment in our new storeNew vacancies openedNew vacancies opened in our newly opened storeNew vacancyNew vacancy in our shopNew vacancy in recently launched store!Sales assistant vacancyVacancy of a sales assistant in our new shopVacancy onlineWe have a need in a sales assistant in our new storeWe search for employeesWe invite you to try yourself in our companyWe invite you to try yourself as a professional in our companyWe invite you to try yourselfWe invite you to tryWe invite you to join our united teamWe invite you to join our united qualified teamWe invite youOur company offers you to join our close knit qualified team\Our company offers an interesting positionNew vacancy in our teamNew vacancy in our professional teamJoin our united teamA great chance to join our professional teamA position in our company is availableA position in our united qualified team is waiting for you

The link in the message body points to a dodgy job website where the victim's name and email address are required for the hiring process. We tested signing-up by using fake names and emails, but we never received a reply. Most likely, the email entered are collected by spammers.

10635_92b07d15-fef0-4afe-be94-f0e725ce8cb8

Trustwave Secure Email Gateway protects our customers from this spam campaign.

Conclusion:

The Gamut botnet was designed purely to send spam. It has a very simple command and control infrastructure as well as spamming engine. We brought this bot into focus because simple botnets like Gamut sometimes fall under the radar. Currently, it attributes to less than 5% of total spam volume. This spam botnet however appears to be building and has a capability to send massive amounts of spam.

 

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More