CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Tracking the Chameleon Spam Campaign

In this blog, we draw attention to a persistent high-volume spam campaign that has been very prominent in our spam traps recently. The various campaigns emanate from the same spam botnet system and often resemble phishing messages, although they are typically not. The messages have randomized headers, and the templates often change, hence the moniker ‘Chameleon.’

We observed high volumes of spam messages sent by this botnet from 14th August 2019 till the day of publishing this blog. These spam messages originated from all over the globe as shown in Figure 1 and 2. The initial spam messages seen were variations of fake job spam messages purportedly coming from an ex-colleague having a link to the “job posting” or the “job offer” as shown in Figure 3. However, the spam messages varied almost systematically with subsequent iterations of the botnet’s outbursts.



Figure 1: Volume of Spam messages sent out by this botnet on a daily and hourly basis. The line graph shows the trends observed from mid-August to early Sept 2019



Figure 2: Pill Spam botnet traffic Geo-location Pie chart


On closer inspection, we found that these spam messages had similar unique email header and body characteristics indicating that they were being sent from the same botnet. Some unique characteristics of these messages are listed here:

  1. Messages originated from geographically distributed sources but used similar unique SMTP transaction commands on connection.
  2. The spam message email header had a couple of unique features. The first being that valid email header fields like "From", "To", "Message-ID", "Content-Transfer-Encoding", "Content-Type" etc. appeared in random order in subsequent messages. Secondly, random headers containing gibberish text were inserted at random positions within the email header, as shown in Figure 4. These headers, however, have no value and have been placed to evade detection from rule-based systems by introducing randomization.
  3. The spam email subject is purposefully kept short and meaningful to lure the curious victim into opening a message from their ex-colleague, as shown in Figure 3 and 6.
  4. The spam email body is also kept brief yet meaningful enough to encourage the unwitting victim to click on the link, as shown in Figure 3.
  5. Many of the lure URLs embedded in messages from this spam botnet seem to be of compromised WordPress sites.
  6. The email body HTML has random HTML elements inserted at random positions within legit HTML tags, as shown in Figure 5. This is another specialized tactic used by this spam to evade detection.

Looking at the spam volume graph for this botnet (Fig 1), we see regular bursts, followed by long periods of no activity. The regular bursts are in the form of a triangle wave pattern suggesting an almost periodic, odd harmonic. We believe this reflects the internals of the spambot that was designed with the capability to periodically change its spam templates to continue spamming with yet another variation to evade detection, as shown in Fig 3, 7 and 8.



Figure 3: Variations of the Fake Job spam messages sent by the Spambot



Figure 4: Random headers inserted into the Email header by this Spambot to evade detection



Figure 5: Random HTML elements inserted with legit HTML tags by the scammers to evade detection


At this stage, we have not pinpointed the spamming malware behind these campaigns, here is a list of unique IP addresses we saw the spam is originating from If anyone has any insight, drop us a line.

Over the weeks, this botnet has sent out a wide range of spam variants. Some of them are listed here:

  1. Fake Google personal or private messages (see Figure 7)
  2. Fake email account security alerts (Fig 8)
  3. Fake broken or undelivered email messages from a mail server
  4. Fake LinkedIn message and profile view messages (Fig 8)
  5. Fake FedEx delivery notification (Fig 8)
  6. Fake airline booking invoice (Fig 8)

Variation in subjects of the spam messages generated by this spambot can be seen in Fig 6


Figure 6: Top Subject Lines


Here are some of the URLs embedded in the spam messages:

  • hxxp://hrprecise[.]com/wp-content/themes/twentyseventeen/culminatingk.html
  • hxxp://gebit[.]ovh/wp/wp-content/uploads/2019/blasezf.html
  • hxxp://plomeroelectricista[.]
  • hxxp://liv3performance[.]
  • hxxp://gurudevphoto[.]com/wp-content/uploads/excitezk.html
  • hxxp://themotheraccounting[.]com/wp-content/themes/mixupj.html
  • hxxp://radioconexionamoremio[.]com/wp/wp-content/uploads/schedulingy.html
  • hxxp://vimaxkapsulcanada[.]com/wp-content/uploads/2019/muy.html
  • hxxp://www.jiangyanyan[.]xyz/wp-content/persuasiverv.html
  • hxxp://ngandassociates[.]com/wp-content/uploads/rashnessyl.html
  • hxxp://website.carsteamspa[.]com/wp-content/illuminateq.html
  • hxxp://accesuniversel[.]
  • hxxp://www.dostbiri[.]com/wp-content/uploads/titlesz.html

It can be seen here that these are all WordPress URLs indicating that they are most likely compromised sites that the scammers used to host their infrastructure on. The URLs use random html page names, e.g.:’ unsatisfyingu.html’.



Figure 7: Fake personal or private message lure spam purportedly sent via Google service



Figure 8: Spam Variants from this botnet


Clicking and following the embedded links in the spam message we noticed that our test browser was bounced off a couple of redirector sites before it reached the final landing page. Looking closer, we observed that all the spam links pointed to initial redirector pages hosting the same JavaScript content, as shown in figure 9.

Analyzing the spam URLs, we concluded that the scammers used compromised WordPress sites as intermediary nodes to host part of their infrastructure on. The redirector JavaScript code is often hosted on such sites to route traffic onto the malicious infrastructure. This solution fits nicely with the short-lived nature of a spam or phishing campaign. It enables the scammer to hide in plain sight or rather in a “plain website” enjoying a good reputation on the internet.

Clicking on the link in the spam message downloads this JavaScript that is basically a redirector and redirects the browser using the “” method to hxxp://world-diets[.]world/?a=1nrN&c=cp&b=19082019

This destination site used an SSL certificate signed by the free service "Let's Encrypt" giving it a legit appearance. Recently newer campaigns have been seen using similar redirection code but redirecting to a slightly different site: hxxp://health4life[.]world/?a=1nrN&c=cp&s=280819&b=2

Both domains "" and "" were also recently created and had their whois info redacted.


Figure 9: Redirector JavaScript hosted at the spam links



Figure 10: Flowchart of the Spam campaign


At the time of inspection, when we click on links from all these spam messages, we were redirected to the final landing page “”. The complete flow is shown in the flowchart in Figure 10. This site was hosting a Canadian Pharmacy Pill spam site as can be seen in Fig 11, 12, and 13. The site had an active e-commerce cart system to purchase medicine and receive payment and shipping information from customers. This online store claims it doesn’t require a prescription and is happy to sell the usual set of medication, including Cialis, Viagra, Levitra, etc. This domain was recently created and registered to a free Gmail email address, as shown here:



Figure 12: Fake Pill site About Us page



Figure 13: Fake Canadian Pharmacy Pill Spam Site with E-commerce capability

Occasionally some of the spam links would lead to fake bitcoin purchase sites, as shown in Figure 14 and 15. This indicates that the spam campaign circled through these two types of spam sites using some rotation logic. This sophisticated and transient infrastructure powered by a powerful versatile and distributed spamming botnet enables the scammer to launch any campaign with minimum effort. As of now the nature of the spam is centered around pill spam and fake bitcoin spam, however, this could potentially shift to serve Phishing or even Malware.

The Trustwave Secure Email Gateway detects and blocks these spam campaigns.

We would like to acknowledge and thank Phil Hay for his valuable advice and support for this publication.



Figure 14: Fake Bitcoin spam page



Figure 15: Fake Bitcoin Spam

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More