Trik Spam Botnet Leak 43M Email Address due to Misconfiguration C&C server

A threat intelligence analyst from Vertek Corporation told Bleeping Computer that he recently discovered that a spam botnet command and control (C&C) server had accidentally exposed at least 43 million e-mail addresses.

The analyst claimed that the finding came from the fact that he was tracking the spread of malware through spam emails. The purpose of the campaign was to spread the latest version of the Trik Trojan. Due to the misconfiguration of the C&C server, anyone can view all its stored content by directly accessing its IP address.

The analyst said that he found a total of 2201 text files from this server, the name is straightforward – from 1.txt has been to 2201.txt, each record contains about 20,000 e-mail address. Analysts believe that the use of these email recipient lists by Trik botnet operators is to allow criminals who subscribe to their services to spread their malware through spam email campaigns.

The analyst also told Bleeping Computer that he and his team verified the uniqueness of all these e-mail addresses. The results show that of the 44,020,000 addresses, 43,555,741 are unique.

From the domain name, these email addresses come from all over the world. There are 4.6 million unique email domain names, from .com, .net to .gov, and several companies’ private domain names. This includes Yahoo (yahoo.com), Tencent (qq.com) and NetEase (126.com, 163.com), etc. The top 100 e-mail domain names are as follows:

8907436 yahoo.com
8397080 aol.com
 788641 comcast.net
 433419 yahoo.co.in
 432129 sbcglobal.net
 414912 msn.com
 316128 rediffmail.com
 294427 yahoo.co.uk
 286835 yahoo.fr
 282279 verizon.net
 244341 bellsouth.net
 234718 cox.net
 227209 earthlink.net
 221737 yahoo.com.br
 191098 ymail.com
 174848 att.net
 156851 btinternet.com
 139885 libero.it
 120120 yahoo.es
 117175 charter.net
 112566 mac.com
 111248 mail.ru
 107810 juno.com
  92141 optonline.net
  86967 yahoo.ca
  78964 me.com
  73341 yahoo.com.ar
  71545 yahoo.in
  71200 rocketmail.com
  69757 wanadoo.fr
  68645 rogers.com
  65629 yahoo.it
  65017 shaw.ca
  64091 ig.com.br
  63045 163.com
  62375 uol.com.br
  57764 free.fr
  57617 yahoo.com.mx
  57066 web.de
  56507 orange.fr
  56309 sympatico.ca
  54767 aim.com
  51352 cs.com
  50256 bigpond.com
  48455 terra.com.br
  43135 yahoo.co.id
  41533 netscape.net
  40932 alice.it
  39737 sky.com
  39116 yahoo.com.au
  38573 bol.com.br
  38558 YAHOO.COM
  37882 excite.com
  37788 mail.com
  37572 tiscali.co.uk
  37361 mindspring.com
  37350 tiscali.it
  36636 HOTMAIL.COM
  36429 ntlworld.com
  34771 netzero.net
  33414 prodigy.net
  33208 126.com
  32821 yandex.ru
  32526 planet.nl
  32496 yahoo.com.cn
  31167 qq.com
  30831 embarqmail.com
  30751 adelphia.net
  30536 telus.net
  30005 hp.com
  29160 yahoo.de
  28290 roadrunner.com
  27558 skynet.be
  26732 telenet.be
  26299 wp.pl
  26135 talktalk.net
  26072 pacbell.net
  26051 t-online.de
  25929 netzero.com
  25917 optusnet.com.au
  25897 virgilio.it
  25525 home.nl
  25227 videotron.ca
  24881 blueyonder.co.uk
  24462 peoplepc.com
  24435 windstream.net
  24079 xtra.co.nz
  23465 bluewin.ch
  23375 us.army.mil
  22433 hetnet.nl
  22247 trainingelite.com
  22021 yahoo.com.sg
  21689 laposte.net
  21336 ge.com
  21130 frontiernet.net
  21055 q.com
  21034 mchsi.com
  20882 webtv.net
  20830 abv.bg
  19425 insightbb.com

Analysts pointed out that most of these e-mail addresses were previously exposed. For example, Yahoo (10.6 million) and AOL (8.3 million). This means that campaigns designed to spread malware through spam emails are highly likely to target specific users. Another possibility is that the list of email addresses found is incomplete.

Of course, we should also pay attention to the Trik Trojan that appeared in the incident. According to related data, it is a typical malware downloader that has been active for at least ten years. After the computer is infected, the infected computer is used to form a botnet.

As mentioned earlier, botnets are sold to other criminals. The Vertek analyst said that the Trik botnet is being used by the ransomware GandCrab operations team to disseminate the GandCrab V3 version.

GandCrab ransomware originally appeared in January of this year, mainly through spam e-mail, social engineering, exploit kits, and malvertising, and released multiple versions in just a few months, considered the most in 2018. One of the top ransomware.

The latest version of V3 not only retains all the features of the previous version but also adds an auto-run feature that allows the infected computer to boot on its own even if the infected computer is restarted, thereby establishing persistence on the infected computer.

As GandCrab’s operating team began to use the Trik botnet to spread its malware, we believe that this ransomware will undoubtedly bring greater turmoil to Internet users around the world in the coming period.