Cybercriminals are constantly evolving their instruments, techniques, and strategies to evade spam detection programs. We lately noticed some spam campaigns that closely relied on URL obfuscation in e mail messages. Whereas such URL evasion strategies aren’t new, their latest emergence on the pretend pharma spam panorama is noteworthy. One such URL obfuscation method employed an encoded hexadecimal IP tackle format used within the URL hostname half to evade detection. One other method used a URL semantic assault, however that would be the topic of a future weblog. On this weblog, we spotlight some latest IP format strategies we noticed within the wild which can be getting used and circulated in spam.

IP stands for Web Protocol and is outlined in RFC 791. An IP tackle is a novel numerical tackle assigned to every gadget on the community. It may be an IPV4 dotted-decimal tackle similar to 127.0.0.1 or an IPv6 tackle like 2001:db8:a0b:12f0::1. We entry internet content material on internet servers with their distinctive IP addresses assigned to them on the Web, utilizing the usual URL format outlined in RFC1738. Since IP addresses are exhausting to recollect, we depend on domains as a substitute that use a DNS service to translate the area title to an IP tackle, thus remembering https://google.com is simpler than remembering https://216.58.199.78 .

Technically, an IP tackle might be represented in a number of codecs and thus can be utilized in a URL as follows:

Whereas internet browsers settle for domains or dotted-decimal IPs as a URL within the tackle bar, clicking on any of the above hyperlinks will direct you to Google.com as most browsers additionally settle for these completely different IP codecs as legitimate, which in fact they’re. The browser will mechanically convert the hexadecimal or different IP format to a dotted-decimal IP tackle and browse it to the ultimate web page at that IP tackle.

Any risk actor geared up with this data can craft an obscure wanting URL like those proven above and ship it through e mail with a convincing message to deceive the e-mail gateway and the sufferer and lure them to click on and open a web site managed by the attacker.

Tablet spam marketing campaign utilizing obscure URLs containing hexadecimal IPs

The primary spam marketing campaign we noticed was the results of a really lively pretend pharma spam botnet leveraging URL obfuscation strategies supported by an infrastructure of a number of middleman hops via affiliate hyperlink providers to evade detection whereas spewing excessive volumes of tablet spam messages. These spam messages lined a large spectrum of pharma merchandise, primarily capsules for ldl cholesterol, anti-fungal, anti-aging, anti-inflammatory, mind well being, metabolism, and many others.  This spam botnet lately began utilizing hexadecimal IP’s within the URL since mid-July 2020, as proven within the determine. That is the time when the spam quantity generated by this botnet considerably elevated, as might be seen in determine 1.

In Spam Evasive URLs Trustwave

Determine 1: Spam volumes of the pretend pharma botnet for the reason that starting of this 12 months. Discover the rise in quantity since mid-July

A stream chart of this spam marketing campaign is proven right here in Determine 2 adopted by an in depth dialogue about every element.

In Spam Evasive URLs Trustwave

Determine 2: Flowchart of this pretend pharma spam marketing campaign

Spam Evaluation

Spam messages had been fastidiously crafted for every spam broadcast, the place the e-mail topic highlights the e-mail physique content material and is usually convincing-looking pharma product associated messages. Listed here are some screenshots of such spam e mail messages.

In Spam Evasive URLs Trustwave

Determine 3: Spam samples containing embedded URLs with hexadecimal IP’s, circulated by this botnet with themes like COVID Masks, Fats loss, UV Micro organism killer, and Prostate medication.

In Spam Evasive URLs Trustwave

Determine 4: Spam circulated with themes like Mind boosting medication, Acid Reflux, Fats discount, and Imaginative and prescient correction

In Spam Evasive URLs Trustwave

Determine 5: Spam circulated utilizing themes like medication for Vertigo, Vitiligo, Gum and Mind. All containing URLs with hexadecimal IP’s

This seems like atypical spam, nonetheless what makes it distinctive is using hexadecimal IPs within the URL to entry the tablet spam internet web page. Some URLs that we collected from these tablet spam campaigns are defanged and listed right here:

  • hxxp://0[x]455e8c6f/0s19ef206s18s2f2s567s49a8s91f7s4s19fd61a
  • hxxp://0[x]455e8c65/0s1598270s14s2eds562s498as9151s4s15a65b2
  • hxxp://0[x]455e8c6c/0s4eb49s4s2e4s557s491fs904fs4s5ccfa
  • hxxp://0[x]455e8c7a/0s30360s4s2f7s56cs49d2s9293s4s3e830
  • http://0[x]455e8c67/0s1d93f34s18s304s579s4a35s9451s1s1da2650
  • http://0[x]455e8c75/0s1c11bf8s18s2e8s55ds492es90a4s0s1c1fe27
  • http://0[x]455e8c7c/0s179213bs14s2fcs571s49fds92ees4s17a06ab
  • http://0[x]455e8c77/0s194180es18s2fes573s4a07s9341s4s194fde3
  • http://0[x]455e8c6a/0s1dbd6d7s18s2fas56fs49e3s92c3s4s1dcbc02

These hexadecimal encoded IP addresses, collected at completely different occasions in the course of the month of August 2020, decode to a single CIDR block 69.94.128.0/19 which is a block of IPs from USA. We noticed that these hyperlinks seem barely completely different utilizing completely different mail shoppers. For instance, utilizing the Thunderbird mail shopper, hovering your mouse over the hyperlinks in these spam messages reveals them as a URL beginning with an IP tackle within the standing bar. Nevertheless, the hyperlinks seem of their hexadecimal IP kind within the URL utilizing Microsoft Outlook however copying and pasting these hyperlinks converts them to the usual IP format within the URL.

Community Evaluation

Clicking on any of those hyperlinks opens the sufferer’s browser. The browser converts the hexadecimal IP to a decimal IP and takes the sufferer to the webpage internet hosting the pretend pharma web site. This web site is provided with an e-commerce gateway to promote these pretend capsules. We didn’t proceed with any buy on the time of penning this weblog. You’ll be able to carry out the hex to decimal IP conversion your self utilizing any software of your selection. Right here is a straightforward conversion utilizing Cyber Chef

In Spam Evasive URLs Trustwave

Determine 6: Changing Hexadecimal IP to decimal IP utilizing CyberChef

Evaluation of the community stream, from the time the sufferer clicks on the hyperlink till the ultimate touchdown web page is loaded within the sufferer’s browser, reveals a sequence of intermediate HTTP 301 and HTTP 302 redirects as proven within the above in Determine 2. An attention-grabbing factor to notice right here is that cybercriminals have employed the infrastructure of Clickbank.com, which is a legit on-line retail and affiliate service. Cybercriminals are abusing the Clickbank affiliate hyperlink service to proxy via to the ultimate touchdown web page of the pharma product being offered.

Ultimate Touchdown Pages:

For every spam marketing campaign iteration from this botnet, the ultimate touchdown web page follows the identical theme from the preliminary spam message. The ultimate touchdown pages are designed as advertising and marketing and gross sales portals built-in with third social gathering fee gateways. Every web site contained convincing advertising and marketing movies and testimonials to lure victims into shopping for pretend capsules or pharmaceutical merchandise being offered. An attention-grabbing factor to notice right here is that almost all of those domains that hosted the ultimate touchdown pages had been registered with the NameCheap area registrar and had been lately registered. Screenshots of a few of these web sites are proven right here.

In Spam Evasive URLs Trustwave

Determine 9: Ultimate touchdown web page of Pretend Anti-Fungal drug circulated as spam

In Spam Evasive URLs Trustwave

Determine 10: Ultimate touchdown web page of Pretend pharma medication

In Spam Evasive URLs Trustwave

Determine 11: Ultimate touchdown web page of Pretend pharma drug circulated as spam

In Spam Evasive URLs Trustwave

Determine 12: Ultimate touchdown web page of Pretend pharma drug circulated as spam

In Spam Evasive URLs Trustwave

Determine 13: Ultimate touchdown web page of Pretend pharma drug circulated as spam

For e-commerce retail flows, these websites used JavaScript snippets pointing to Clickbank.com affiliate community and fee portal as proven within the determine.

In Spam Evasive URLs Trustwave

Clicking on “Purchase Now” for any product redirects the sufferer to a legit Clickbank fee gateway web page that accepts fee through each Credit score Card and PayPal as proven within the determine.

In Spam Evasive URLs Trustwave

Making an attempt to pay for an merchandise utilizing phony fee particulars was unsuccessful because the fee gateway required a legit and lively Credit score Card to be entered previous to continuing to the following web page. Making a take a look at buy to see whether or not any product will get shipped or not was past the scope of this analysis.

Conclusion

Spammers are ever-evolving their strategies to evade spam detection programs to ship spam to victims. One spamming group lately began utilizing URLs containing hexadecimal encoded IPs embedded in spam messages for his or her pretend pharma spam campaigns in an occasion to evade spam detection programs and URL blocklists. The URLs level to spammer-controlled infrastructure that redirects victims to semi-legit on-line retailers and advertising and marketing firm infrastructure that lastly redirects to the ultimate web site promoting pretend capsules, medication, and well being merchandise. These pretend pharma websites are hosted on domains which have been lately bought.

Trustwave Safe Electronic mail Gateway (SEG) detects these spam messages. We advise all customers to look carefully in any respect URLs earlier than clicking, and particularly these URLs that don’t conform to typical codecs.

IOCs

  • hxxp://0[x]455e8c6f/0s19ef206s18s2f2s567s49a8s91f7s4s19fd61a
  • hxxp://0[x]455e8c65/0s1598270s14s2eds562s498as9151s4s15a65b2
  • hxxp://0[x]455e8c6c/0s4eb49s4s2e4s557s491fs904fs4s5ccfa
  • hxxp://0[x]455e8c7a/0s30360s4s2f7s56cs49d2s9293s4s3e830
  • http://0[x]455e8c67/0s1d93f34s18s304s579s4a35s9451s1s1da2650
  • http://0[x]455e8c75/0s1c11bf8s18s2e8s55ds492es90a4s0s1c1fe27
  • http://0[x]455e8c7c/0s179213bs14s2fcs571s49fds92ees4s17a06ab
  • http://0[x]455e8c77/0s194180es18s2fes573s4a07s9341s4s194fde3
  • http://0[x]455e8c6a/0s1dbd6d7s18s2fas56fs49e3s92c3s4s1dcbc02

2019 midyear security roundup report,trend micro threat report 2019,trend micro vulnerability report,trend micro research lab,trend micro white papers,trend micro security predictions for 2020

Share:

administrator