Microsoft recently detailed an extensive spam campaign it had been tracking for several months. The spam network was sending over one million emails per month at its peak, spreading seven different malware types and targeting victims worldwide.
Microsoft Details Massive Spam Campaign
Microsoft tracked the spam campaign from March to December 2020, gradually uncovering and detailing “sprawling architecture” that, due to its size, had enough power to appear legitimate to mail providers.
According to the Microsoft Security blog, the spam campaign targeted many countries around the world, with high volumes found in the US, UK, and Australia. The spam emails focused on targets in the wholesale distribution, financial services, and healthcare industries, using a variety of phishing lures and spam tactics.
The first indicators of the spam campaign appeared in March 2020. Microsoft assigned the name “StrangeU,” as many of the spam domain naming patterns frequently used the word “strange.” A second domain generation algorithm would be discovered at a later date, taking the name “RandomU.”
Microsoft also notes that the spam campaign’s rise coincided with a global takedown of the Necurs botnet, which Microsoft also had a hand in. Before its disruption, Necurs was one of the most prolific spam botnets, allowing other criminals access to the network for a fee.
The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations.
One of the biggest takeaways from Microsoft’s report is that the world of spam is heavily interlinked. Spam networks and campaigns use pay-for-access infrastructure to further their goals, sometimes even if they have an existing botnet up and running.
Attempting to diversify spam output is a step towards protecting the overall operation, guarding against the automated analysis techniques often used to disrupt and destroy spam networks.
StrangeU and RandomU Hit Wide Range of Targets
The spam network infrastructure was used to deliver several malware campaigns over the course of nine months:
- April & June: Korean spear-phishing campaigns that delivered Makop ransomware
- April: Emergency alert notifications that distributed Mondfoxia malware
- June: Black Lives Matter lure that delivered Trickbot malware
- June & July: Dridex campaign delivered through StrangeU
- August: Dofoil (SmokeLoader) campaign
- September – November: Emotet and Dridex activities
Microsoft’s research details the modular approach attackers continue to take regarding malware, botnets, and spam distribution. The modular malware approach enables attackers to remain versatile in their approach to distribution, ensuring that any takedown or disruption operations must cover a large amount of infrastructure before making any real indent.