Tracking the Chameleon Spam Campaign

In this blog, we draw attention to a persistent high-volume spam campaign that has been very prominent in our spam traps recently. The various campaigns emanate from the same spam botnet system and often resemble phishing messages, although they are typically not. The messages have randomized headers, and the templates often change, hence the moniker ‘Chameleon.’

We observed high volumes of spam messages sent by this botnet from 14^th August 2019 till the day of publishing this blog. These spam messages originated from all over the globe as shown in Figure 1 and 2. The initial spam messages seen were variations of fake job spam messages purportedly coming from an ex-colleague having a link to the “job posting” or the “job offer” as shown in Figure 3. However, the spam messages varied almost systematically with subsequent iterations of the botnet’s outbursts.

Figure 1: Volume of Spam messages sent out by this botnet on a daily and hourly basis. The line graph shows the trends observed from mid-August to early Sept 2019

Figure 2: Pill Spam botnet traffic Geo-location Pie chart

On closer inspection, we found that these spam messages had similar unique email header and body characteristics indicating that they were being sent from the same botnet. Some unique characteristics of these messages are listed here:

1. Messages originated from geographically distributed sources but used similar unique SMTP transaction commands on connection.
2. The spam message email header had a couple of unique features. The first being that valid email header fields like "From", "To", "Message-ID", "Content-Transfer-Encoding", "Content-Type" etc. appeared in random order in subsequent messages. Secondly, random headers containing gibberish text were inserted at random positions within the email header, as shown in Figure 4. These headers, however, have no value and have been placed to evade detection from rule-based systems by introducing randomization.
3. The spam email subject is purposefully kept short and meaningful to lure the curious victim into opening a message from their ex-colleague, as shown in Figure 3 and 6.
4. The spam email body is also kept brief yet meaningful enough to encourage the unwitting victim to click on the link, as shown in Figure 3.
5. Many of the lure URLs embedded in messages from this spam botnet seem to be of compromised WordPress sites.
6. The email body HTML has random HTML elements inserted at random positions within legit HTML tags, as shown in Figure 5. This is another specialized tactic used by this spam to evade detection.

Looking at the spam volume graph for this botnet (Fig 1), we see regular bursts, followed by long periods of no activity. The regular bursts are in the form of a triangle wave pattern suggesting an almost periodic, odd harmonic. We believe this reflects the internals of the spambot that was designed with the capability to periodically change its spam templates to continue spamming with yet another variation to evade detection, as shown in Fig 3, 7 and 8.

Figure 3: Variations of the Fake Job spam messages sent by the Spambot

Figure 4: Random headers inserted into the Email header by this Spambot to evade detection

Figure 5: Random HTML elements inserted with legit HTML tags by the scammers to evade detection

At this stage, we have not pinpointed the spamming malware behind these campaigns, here is a list of unique IP addresses we saw the spam is originating from https://pastebin.com/zAQ3X1JQ. If anyone has any insight, drop us a line.

Over the weeks, this botnet has sent out a wide range of spam variants. Some of them are listed here:

1. Fake Google personal or private messages (see Figure 7)
2. Fake email account security alerts (Fig 8)
3. Fake broken or undelivered email messages from a mail server
4. Fake LinkedIn message and profile view messages (Fig 8)
5. Fake FedEx delivery notification (Fig 8)
6. Fake airline booking invoice (Fig 8)

Variation in subjects of the spam messages generated by this spambot can be seen in Fig 6

Figure 6: Top Subject Lines

Here are some of the URLs embedded in the spam messages:

• hxxp://hrprecise[.]com/wp-content/themes/twentyseventeen/culminatingk.html
• hxxp://gebit[.]ovh/wp/wp-content/uploads/2019/blasezf.html
• hxxp://plomeroelectricista[.]com.mx/wp-content/uploads/alfab.html
• hxxp://liv3performance[.]com.br/wp-content/unsatisfyingu.html
• hxxp://gurudevphoto[.]com/wp-content/uploads/excitezk.html
• hxxp://themotheraccounting[.]com/wp-content/themes/mixupj.html
• hxxp://radioconexionamoremio[.]com/wp/wp-content/uploads/schedulingy.html
• hxxp://vimaxkapsulcanada[.]com/wp-content/uploads/2019/muy.html
• hxxp://www.jiangyanyan[.]xyz/wp-content/persuasiverv.html
• hxxp://ngandassociates[.]com/wp-content/uploads/rashnessyl.html
• hxxp://website.carsteamspa[.]com/wp-content/illuminateq.html
• hxxp://accesuniversel[.]gouv.ml/wp-content/uploads/2019/electroencephalogramon.html
• hxxp://www.dostbiri[.]com/wp-content/uploads/titlesz.html

It can be seen here that these are all WordPress URLs indicating that they are most likely compromised sites that the scammers used to host their infrastructure on. The URLs use random html page names, e.g.:’ unsatisfyingu.html’.

Figure 7: Fake personal or private message lure spam purportedly sent via Google service

Figure 8: Spam Variants from this botnet

Clicking and following the embedded links in the spam message we noticed that our test browser was bounced off a couple of redirector sites before it reached the final landing page. Looking closer, we observed that all the spam links pointed to initial redirector pages hosting the same JavaScript content, as shown in figure 9.

Analyzing the spam URLs, we concluded that the scammers used compromised WordPress sites as intermediary nodes to host part of their infrastructure on. The redirector JavaScript code is often hosted on such sites to route traffic onto the malicious infrastructure. This solution fits nicely with the short-lived nature of a spam or phishing campaign. It enables the scammer to hide in plain sight or rather in a “plain website” enjoying a good reputation on the internet.

Clicking on the link in the spam message downloads this JavaScript that is basically a redirector and redirects the browser using the “window.top.location.href” method to hxxp://world-diets[.]world/?a=1nrN&c=cp&b=19082019

This destination site used an SSL certificate signed by the free service "Let's Encrypt" giving it a legit appearance. Recently newer campaigns have been seen using similar redirection code but redirecting to a slightly different site: hxxp://health4life[.]world/?a=1nrN&c=cp&s=280819&b=2

Both domains "world-diets.world" and "health4life.world" were also recently created and had their whois info redacted.

Figure 9: Redirector JavaScript hosted at the spam links

Figure 10: Flowchart of the Spam campaign

At the time of inspection, when we click on links from all these spam messages, we were redirected to the final landing page “greatexpert.su”. The complete flow is shown in the flowchart in Figure 10. This site was hosting a Canadian Pharmacy Pill spam site as can be seen in Fig 11, 12, and 13. The site had an active e-commerce cart system to purchase medicine and receive payment and shipping information from customers. This online store claims it doesn’t require a prescription and is happy to sell the usual set of medication, including Cialis, Viagra, Levitra, etc. This domain was recently created and registered to a free Gmail email address, as shown here:

Figure 12: Fake Pill site About Us page

Figure 13: Fake Canadian Pharmacy Pill Spam Site with E-commerce capability

Occasionally some of the spam links would lead to fake bitcoin purchase sites, as shown in Figure 14 and 15. This indicates that the spam campaign circled through these two types of spam sites using some rotation logic. This sophisticated and transient infrastructure powered by a powerful versatile and distributed spamming botnet enables the scammer to launch any campaign with minimum effort. As of now the nature of the spam is centered around pill spam and fake bitcoin spam, however, this could potentially shift to serve Phishing or even Malware.

The Trustwave Secure Email Gateway detects and blocks these spam campaigns.

We would like to acknowledge and thank Phil Hay for his valuable advice and support for this publication.

Figure 14: Fake Bitcoin spam page

Figure 15: Fake Bitcoin Spam