Ddos A threat intelligence analyst from Vertek Corporation told Bleeping Computer that he recently discovered that a spam botnet command and control (C&C) server had accidentally exposed at least 43 million e-mail addresses.
The analyst claimed that the finding came from the fact that he was tracking the spread of malware through spam emails. The purpose of the campaign was to spread the latest version of the Trik Trojan. Due to the misconfiguration of the C&C server, anyone can view all its stored content by directly accessing its IP address.
The analyst said that he found a total of 2201 text files from this server, the name is straightforward – from 1.txt has been to 2201.txt, each record contains about 20,000 e-mail address. Analysts believe that the use of these email recipient lists by Trik botnet operators is to allow criminals who subscribe to their services to spread their malware through spam email campaigns.
The analyst also told Bleeping Computer that he and his team verified the uniqueness of all these e-mail addresses. The results show that of the 44,020,000 addresses, 43,555,741 are unique.
From the domain name, these email addresses come from all over the world. There are 4.6 million unique email domain names, from .com, .net to .gov, and several companies’ private domain names. This includes Yahoo (yahoo.com), Tencent (qq.com) and NetEase (126.com, 163.com), etc. The top 100 e-mail domain names are as follows:
8907436 yahoo.com 8397080 aol.com 788641 comcast.net 433419 yahoo.co.in 432129 sbcglobal.net 414912 msn.com 316128 rediffmail.com 294427 yahoo.co.uk 286835 yahoo.fr 282279 verizon.net 244341 bellsouth.net 234718 cox.net 227209 earthlink.net 221737 yahoo.com.br 191098 ymail.com 174848 att.net 156851 btinternet.com 139885 libero.it 120120 yahoo.es 117175 charter.net 112566 mac.com 111248 mail.ru 107810 juno.com 92141 optonline.net 86967 yahoo.ca 78964 me.com 73341 yahoo.com.ar 71545 yahoo.in 71200 rocketmail.com 69757 wanadoo.fr 68645 rogers.com 65629 yahoo.it 65017 shaw.ca 64091 ig.com.br 63045 163.com 62375 uol.com.br 57764 free.fr 57617 yahoo.com.mx 57066 web.de 56507 orange.fr 56309 sympatico.ca 54767 aim.com 51352 cs.com 50256 bigpond.com 48455 terra.com.br 43135 yahoo.co.id 41533 netscape.net 40932 alice.it 39737 sky.com 39116 yahoo.com.au 38573 bol.com.br 38558 YAHOO.COM 37882 excite.com 37788 mail.com 37572 tiscali.co.uk 37361 mindspring.com 37350 tiscali.it 36636 HOTMAIL.COM 36429 ntlworld.com 34771 netzero.net 33414 prodigy.net 33208 126.com 32821 yandex.ru 32526 planet.nl 32496 yahoo.com.cn 31167 qq.com 30831 embarqmail.com 30751 adelphia.net 30536 telus.net 30005 hp.com 29160 yahoo.de 28290 roadrunner.com 27558 skynet.be 26732 telenet.be 26299 wp.pl 26135 talktalk.net 26072 pacbell.net 26051 t-online.de 25929 netzero.com 25917 optusnet.com.au 25897 virgilio.it 25525 home.nl 25227 videotron.ca 24881 blueyonder.co.uk 24462 peoplepc.com 24435 windstream.net 24079 xtra.co.nz 23465 bluewin.ch 23375 us.army.mil 22433 hetnet.nl 22247 trainingelite.com 22021 yahoo.com.sg 21689 laposte.net 21336 ge.com 21130 frontiernet.net 21055 q.com 21034 mchsi.com 20882 webtv.net 20830 abv.bg 19425 insightbb.com
Analysts pointed out that most of these e-mail addresses were previously exposed. For example, Yahoo (10.6 million) and AOL (8.3 million). This means that campaigns designed to spread malware through spam emails are highly likely to target specific users. Another possibility is that the list of email addresses found is incomplete.
Of course, we should also pay attention to the Trik Trojan that appeared in the incident. According to related data, it is a typical malware downloader that has been active for at least ten years. After the computer is infected, the infected computer is used to form a botnet.
As mentioned earlier, botnets are sold to other criminals. The Vertek analyst said that the Trik botnet is being used by the ransomware GandCrab operations team to disseminate the GandCrab V3 version.
GandCrab ransomware originally appeared in January of this year, mainly through spam e-mail, social engineering, exploit kits, and malvertising, and released multiple versions in just a few months, considered the most in 2018. One of the top ransomware.
The latest version of V3 not only retains all the features of the previous version but also adds an auto-run feature that allows the infected computer to boot on its own even if the infected computer is restarted, thereby establishing persistence on the infected computer.
As GandCrab’s operating team began to use the Trik botnet to spread its malware, we believe that this ransomware will undoubtedly bring greater turmoil to Internet users around the world in the coming period.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
