Microsoft Details Massive Spam Campaign

Microsoft tracked the spam campaign from March to December 2020, gradually uncovering and detailing “sprawling architecture” that, due to its size, had enough power to appear legitimate to mail providers.

According to the Microsoft Security blog, the spam campaign targeted many countries around the world, with high volumes found in the US, UK, and Australia. The spam emails focused on targets in the wholesale distribution, financial services, and healthcare industries, using a variety of phishing lures and spam tactics.

The first indicators of the spam campaign appeared in March 2020. Microsoft assigned the name “StrangeU,” as many of the spam domain naming patterns frequently used the word “strange.” A second domain generation algorithm would be discovered at a later date, taking the name “RandomU.”

Microsoft also notes that the spam campaign’s rise coincided with a global takedown of the Necurs botnet, which Microsoft also had a hand in. Before its disruption, Necurs was one of the most prolific spam botnets, allowing other criminals access to the network for a fee.

One of the biggest takeaways from Microsoft’s report is that the world of spam is heavily interlinked. Spam networks and campaigns use pay-for-access infrastructure to further their goals, sometimes even if they have an existing botnet up and running.

Attempting to diversify spam output is a step towards protecting the overall operation, guarding against the automated analysis techniques often used to disrupt and destroy spam networks.

StrangeU and RandomU Hit Wide Range of Targets

The spam network infrastructure was used to deliver several malware campaigns over the course of nine months:

April & June: Korean spear-phishing campaigns that delivered Makop ransomware April: Emergency alert notifications that distributed Mondfoxia malware June: Black Lives Matter lure that delivered Trickbot malware June & July: Dridex campaign delivered through StrangeU August: Dofoil (SmokeLoader) campaign September - November: Emotet and Dridex activities

Microsoft’s research details the modular approach attackers continue to take regarding malware, botnets, and spam distribution. The modular malware approach enables attackers to remain versatile in their approach to distribution, ensuring that any takedown or disruption operations must cover a large amount of infrastructure before making any real indent.