While it comes to us as no surprise that countless new attacks are rooting from the dark ends of the Internet every day, recently a spambot, dubbed Onliner, was discovered to attack 711 million email addresses to spread aggressive malware. With so many emails accounts being attacked, the Onliner Spambot campaign is the largest batch of data to ever be discovered by the breach notification site Have I Been Pwned.
Just before the discovery of Onliner by the security researcher that goes by the name Benkow, as many as 393 million records where comprised in a single set of data containing compromised email accounts. The malware being actively spread by Onliner was found to be Ursnif, which is a destructive type of banking malware that is specifically designed to infect Windows PCs, pilfer data, and download additional malware. The capabilities of Ursnif have recently evolved taking advantage of its long past of data collection, which dates back to 2007.
This Week in Malware Ep 10: Ursnif malware Leverages MS Excel 4.0 via Macro Functionality
Probably one of the most concerning aspects of ONliner malware is that it can bypass spam filters allowing it to spread on a massive scale. In fact, not only does Onliner have 711 million email accounts at its disposal to attack but it could spread further by using the credentials of infected emails to send additional spam messages to other addresses found on the email list of victims.
Benkow explained to many security blog sources that, "the more SMTP servers [the spammers] can find, the more [they] can distribute the campaign."
Of the 711 million accounts attacked and collected within a data set by Onliner, Benkow suspects that 80 million of those had complete credentials and used as senders. However, the remaining amount of the 711 million accounts was used as targets.
In the past, we have encountered many aggressive forms of banking malware, or banking Trojans. Ursnif, being malware that has been in existence for about 10 years now, has been a threat that has continually evolved. Even so, Ursnif has extended its capabilities of stealing victims' usernames, passwords, and other personal data that may belong to an email account or online banking account. In the case of the most recent version of Ursnif utilize in the Onliner spambot campaign, the banking malware can download additional malware onto an infected Windows PC.
The spread of Onliner spambot emails armed with the latest version of Ursnif are being spread through emails that are commonly unchallenged. In essence, malicious spam emails from Onliner appear to some users as harmless emails due to legitimate email servers being utilized. Fundamentally, unsuspecting computer users will believe that the spam emails are from a trusted source. While each of the Onliner emails will contain a malicious attachment payload, many users will find that the attachment has been disguised as a normal-looking file.
When the attachment within a malicious Onliner spambot email is opened, the malware downloads from a server and then infects the system. As email filters become more sophisticated, it is important that they are updated with the latest detection methods to capture attacks from the Onliner spambot campaign. Thus far, Onliner has been able to evade a large number of spam detection methods. The researcher who runs the 'Have I Been Pwned' breach notification site, Troy Hunt, has made the Onliner data searchable, which may soon assist spam detection and other computer security researchers better detect and thwart attacks from Onliner.