Security researchers from M86Security, are contributing the increase in malicious malware campaigns using HTML attachments, to the resurrection of the Cutwail botnet, responsible for spamvertising these campaigns.
Using the company's sensor networks, the researchers observed three peaks of spamvertised malicious campaigns using HTML attachments for serving client-side exploits to unsuspecting the vulnerable users.
The campaigns in question:
- The FDIC "Suspended bank account" spam campaign
- The "End of August Statement" spam campaign
- and the "Xerox Scan" spam campaign
The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—“ referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.
Once the researchers obtained access to the command and control interface of the exploit kit, they noticed that the majority of referrers were coming from "blank" referrer, meaning that these are end and corporate users who are downloading and viewing the malicious attachments on their PCs.
End users are advise to avoid interacting with emails used in these spam campaigns, as well as to ensure that they're not running outdated versions of third-party software running on their PCs, as well as their browser plugins.