An expert from Vertek Corporation spotted the C&C server while investigating a recent malware campaign distributing a version of the Trik trojan. The malicious code was used as a first-stage malware that was used to drop, which was used to drop GandCrab v3 ransomware.
Malware experts from the Proofpoint firm have recently begun tracking the Phorpiex/Trik botnet that was used by sophisticated threat actors to distribute a range of malware.
“It is not especially sophisticated or complex but has been active for almost a decade, flying under the radar and attracting a solid customer base of threat actors.” reads the analysis published by Proofpoint.
“As we began tracking this botnet more closely, we discovered that a number of familiar actors were repeatedly leveraging Trik’s power and distribution capabilities for delivery of their malware.”
Both malware would download the malicious files from a misconfigured server located on a Russian IP address.
The content of the server was accessible to anyone, the researcher discovered 2201 text files, labeled sequentially from 1.txt to 2201.txt containing chunks of roughly 20,000 email addresses, each.
“The Vertek researcher believes the operators of this server have been using these recipient lists to service other crooks who contracted their services to distribute various malware strains via malspam campaigns.” reported Bleeping Computer.
“We pulled all of them to validate that they are unique and legitimate,” the researcher told Bleeping Computer earlier today. “Out of 44,020,000 potential addresses, 43,555,741 are unique.”
The researcher shared its findings with working with the popular cyber security expert Troy Hunt that runs the Have I Been Pwned service, to determine the origin of the data.
The huge trove of email addresses is from everywhere, the expert counted 4.6 million unique email domains (i.e. .gov, .com, and domain of several private businesses).
The vast majority of email addresses are old, (Yahoo (10.6 million) and AOL (8.3 million)).
“Surprisingly, while there are many custom email domains included in the leak, there are very few Gmail addresses included, suggesting the email addresses database is either incomplete, or this malware campaign intentionally targeted users using older email services.” continues Bleeping Computer.
The Trik C&C server discovered by the expert is going offline at intermittent intervals.
Below the Top 10 email domains included in the leaked data:
(Security Affairs – spam botnet, hacking)