Gamut Botnet Description
The Gamut Botnet is a project that was first spotted and studied by malware researchers back in 2013. The Gamut Botnet is a rather basic operation – this botnet uses hijacked systems to send spam emails to a pre-made list of email addresses. A targeted system will receive one of the aforementioned spam emails, and when the user opens the email, the Gamut Botnet will hijack the computer.
When the payload of the Gamut Botnet is injected into the targeted system, it will store its components in the %TEMP% folder. To acquire persistence on the infected host, the threat will modify the Windows Registry. To mask its presence, the harmful payload is likely to use generic-sounding names like 'WPUms,' which is used by a genuine Windows Service.
The Gamut Botnet's payload applies some basic security measures. Before running on a compromised system, the threat will check for the presence of software associated with malware debugging. If the Gamut Botnet's payload determines that it is running in a sandbox environment, it will halt its activity immediately.
The Gamut Botnet can only fulfill its purpose if the victim's network has the Simple Mail Transfer Protocol (SMTP) Port 25 open - to check this, the Gamut Botnet will try to send test messages to Hotmail.com or Mail.ru addresses. If the test is passed successfully, the implant will report to the Command and Control server. If port 25 is closed, the operation will fail, and the botnet will suspend its activity for 12 hours before repeating the test. In case port 25 is available, the threat will establish a connection with the C&C (Command & Control) server and fetch data:
- An email template for the spam messages.
- A list of the email addresses that are to be spammed.
The attackers will receive data regarding the number of successful and unsuccessful emails.
If you want to avoid having your system hijacked by the Gamut Botnet, you should consider investing in a trustworthy, reputable anti-malware application.