www.trustwave.com
Open in
urlscan Pro
52.151.96.240
Public Scan
Submitted URL: https://www.trustwave.com/resources/spiderlabs-blog/gamut-spambot-analysis/
Effective URL: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/
Submission: On November 11 via api from US — Scanned from GB
Effective URL: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/
Submission: On November 11 via api from US — Scanned from GB
Form analysis 5 forms found in the DOM
<form data-hs-cf-bound="true"><span class="fieldset">
<p><input type="checkbox" value="check" id="chkMain" checked="" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
</span></form>GET /en-us/search/
<form oninput="autoSuggest(q.value)" method="get" target="_self" action="/en-us/search/" _lpchecked="1" data-hs-cf-bound="true">
<div class=" site-header-search-mobile" id="search-box">
<i class="fe fe-search text-darkest"></i>
<input id="search" value="" type="text" class="form-control" name="q" placeholder="Search trustwave.com" autocomplete="off">
<div id="search-bar">
<ul class="ul-list list-unstyled result-list" id="suggestresults"></ul>
</div>
</div>
</form>GET /en-us/search/
<form method="get" target="_self" action="/en-us/search/" data-hs-cf-bound="true">
<div class="site-header-search-main">
<i class="fe fe-search text-darkest"></i>
<input type="text" class="form-control form-control-lg" id="q" name="q" placeholder="Search trustwave.com">
</div>
</form>GET https://www2.trustwave.com/Subscription-Center-Subscribe.html
<form method="get" target="_blank" action="https://www2.trustwave.com/Subscription-Center-Subscribe.html" data-hs-cf-bound="true">
<div class="row g-7">
<div class="col-md-6 col-lg-7">
<input type="text" class="form-control" name="Email" placeholder="Email Address">
</div>
<div class="col-md-6 col-lg-5">
<button class="btn btn-primary w-100" type="submit">Subscribe</button>
</div>
</div>
</form><form data-hs-cf-bound="true"></form>Text Content
Cookie Notice
We use cookies to provide you a relevant user experience, analyze our traffic,
and provide social media features. Privacy Policy
Close
GOT IT
* Your Privacy
* Strictly Necessary Cookies
* Performance Cookies
* Functional Cookies
* Targeting Cookies
* Privacy Policy
Privacy Preference Centre
Active
Always Active
Save Settings
Allow All
Trustwave Action Response: Zero Day Vulnerabilities in Microsoft Exchange Server
2013, 2016, and 2019 Learn More
* Contact Us
* Login
Login
Fusion Platform Login
What is the Trustwave Fusion Platform?
* MailMarshal SEG Login
* Legacy TrustKeeper Login
* Incident Response
Incident Response
EXPERIENCING A SECURITY BREACH?
Get access to immediate incident response assistance.
24 HOUR HOTLINES
* AMERICAS
+1 855 438 4305
* EMEA
+44 8081687370
* AUSTRALIA
+61 1300901211
* SINGAPORE
+65 68175019
Recommended Actions
*
* Services
Services
*
Managed Detection & Response Eradicate cyberthreats with world-class intel
and expertise
*
Managed Security Services Expand your team’s capabilities and strengthen
your security posture
*
Consulting & Professional Services Tap into our global team of tenured
cybersecurity specialists
*
Penetration Testing Subscription- or project-based testing, delivered by
global experts
*
Database Security Get ahead of database risk, protect data and exceed
compliance requirements
*
Email Security & Management Catch email threats others miss with layered
security & maximum control
*
Co-Managed SOC (SIEM) Eliminate alert fatigue, focus your SecOps team,
stop threats fast, and reduce cyber risk
View All Trustwave Services
* Solutions
Solutions
BY INDUSTRY
* Education
* Financial Services
* Government
* Healthcare
* Hotels
* Legal
* Manufacturing
* Retail
BY REGULATION
* Data Privacy
* CMMC
* FISMA
* GDPR
* GLBA
* HIPAA
* ISO
* SOX
BY TOPIC
* Microsoft Exchange Server Attacks Stay protected against emerging threats
* Rapidly Secure New Environments Security for rapid response situations
* Securing the Cloud Safely navigate and stay protected
* Securing the IoT Landscape Test, monitor and secure network objects
* Why Trustwave
Why Trustwave
* The Trustwave Approach A focus on threat detection and response
* Awards and Accolades Recognition by analysts and media outlets
* Trustwave SpiderLabs Team Researchers, ethical hackers and responders
* Trustwave Fusion Platform Unprecedented security visibility and control
* SpiderLabs Fusion Center Our cybersecurity command center
* Security Operations Centers Distributed worldwide defense nodes
* Partners
Partners
* Technology Alliance Partners Key alliances who align and support our
ecosystem of security offerings
* Trustwave PartnerOne Program Join forces with Trustwave to protect against
the most advance cybersecurity threats
* Register
Login
* Resources
Resources
BLOGS
* Trustwave Blog
* SpiderLabs Blog
UPCOMING
* Webinars
* Events
MEDIA & ASSETS
* Document Library
* Video Library
* Analyst Reports
* Webinar Replays
* Case Studies
* Trials & Evaluations
NOTICES
* Security Advisories
* Software Updates
HELP
* Contact
* Support
*
* Request a Demo
Loading...
BLOGS & STORIES
SPIDERLABS BLOG
Attracting more than a half-million annual readers, this is the security
community's go-to destination for technical breakdowns of the latest threats,
critical vulnerability disclosures and cutting-edge research.
GAMUT SPAMBOT ANALYSIS
access_timeMarch 04, 2014
person_outlineRodel Mendrez
share
*
*
*
In this blog post, we'll be describing the functionality of a spamming botnet
which appears to have been active since at least the first quarter of 2013.
Currently, the bot's activity consists of sending job-related junk mail. We've
named this spambot "Gamut" based on a string found in the malware body. At this
time anti-virus detection is modest but mostly generic.
Gamut string in the malware body
Malware Installation:
Gamut was found to be downloaded by a Trojan Downloader that arrives as an
attachment from a spam email message. The bot installation is quite simple.
After the malware binary has been downloaded, it launches itself from its
current directory, usually the Windows %Temp% folder and installs itself as a
Windows service. The following registry key is added as a result of running the
service:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WPUms Type = 0x00000010Start = 0x00000002ErrorControl = 0x00000000ImagePath = "path to malware executable"DisplayName = "WPUms"ObjectName = "LocalSystem"
The sample we analyzed uses the name "WPUms" as its service name as well as its
mutex name.
The malware utilizes an anti-VM (virtual machine) trick and terminates itself if
it detects that it is running in a virtual machine environment. The bot uses INT
03h trap sporadically in its code, an anti-debugging technique which prevents
its code from running within a debugger environment. It can also determine if it
is being debugged by using the Kernel32 API - IsDebuggerPresent function.
Command and Control server:
After installation, it phones home to the following domain names:
* serenaso.in.ua
* dufoper.in.ua
* toporung.in.ua
* retionolo.in.ua
* arondo.in.ua
Each of the domain names listed above point to the same hosting service
provider, Avguro Technologies Ltd, based in Russia.
Domain Names
Record
Name
IP Number
Reverse
Routes
IP Location
serenaso.in.ua
dufoper.in.ua
toporung.in.ua
retionolo.in.ua
arondo.in.ua
A
serenaso.in.ua
81.177.135.113
81.177.128.0/18 RTCOMM-RU
AS8342 RTCOMM-AS OJSC RTComm.RU
Avguro Technologies Ltd. Hosting Service Provider
Russian Federation
MX
mail.serenaso.in.ua
mail.dufoper.in.ua
mail.toporung.in.ua
mail.retionolo.in.ua
mail.arondo.in.ua
NS
ns1.jino.ru
217.107.34.200
ns1.jino.ru
217.106.0.0/15 RTCOMM-RU
AS8342 RTCOMM-AS OJSC RTComm.RU
Avguro Technologies Ltd. Hosting Service Provider
Russian Federation
ns2.jino.ru
217.107.217.16
SOA
hostmaster.jino.ru
Older Gamut samples connect to the following domain names:
* nootmet.in (217.107.219.194)
* dodomet.in (217.107.219.194)
* bootmeet.in (217.107.219.194)
The bot initiates by connecting to its command and control server which is
hardcoded inside the bot's body:
The bot then retrieves the SenderClient.conf file the from command and control
server. The file contains the bot configuration such as the thread counts, smtp
connection timeout, smtp sending timeout/attempts, etc.
Gamut sends the following commands or actions to communicate to its control
server:
Command/ActionsDefinitionGetIPrequest for infected machine's IP
addressGetSubscriptionEmailsBlockget the list of email addresses which will be
spammedGetSubscriptionContentget spam templateEmailsSentreport back the list of
email addresseses in which spam was successfully
sentSubscriptionBlockNotSentreport back the list of email addresseses in which
spam was unsuccessfully sentPort25Opentell the control server that port 25 is
openPort25Closetell the control server that port 25 is closedGetPTRGet PTR
record
The command is sent as an HTTP POST request. The screenshot below shows the
command and control communication where the bot sends a GetIP command requesting
the infected machine's IP address:
If the control server fails to obtain the infected machine's IP address, then
the bot sleeps for 15 seconds.
Spam Engine:
After installation, Gamut probes the infected system's SMTP port 25 by sending a
test SMTP transaction to mail.ru and hotmail.com. After the SMTP test, it tells
the command and control server to determine whether port 25 is open or closed.
The bot sends a POST request with Port25Open action when the SMTP test is
successful
If the SMTP test is successful, then the bot will request the spam template and
email list from the command and control server. If the test is not successful,
the bot will sleep for 12 hours.
The Wireshark TCP stream screenshot below shows how the bot requests the spam
template using the GetSubscriptionContent command.
If the spam template is empty or broken, the bot will sleep for 1 minute and
attempts another request to the command and control server.
Here is a basic flowchart of Gamut's SMTP engine.
A single Gamut spambot can send at least 60,000 spam messages per day depending
on the number of target email addresses received from the control server.
Spam Campaign:
It appears that Gamut's current spam campaign is actively targeting job seekers.
Here is a sample spam sent by Gamut:
Here are few of the subject subject lines that the bot may use:
A great offerA great offer of employmentA great offer of employment in our new storeA vacancy in our new store for youApplication for a vacancyApplication for a vacancy in our new storeEmployee neededMore opportunitiesMore opportunities of employmentMore opportunities of employment in our new storeNew vacancies openedNew vacancies opened in our newly opened storeNew vacancyNew vacancy in our shopNew vacancy in recently launched store!Sales assistant vacancyVacancy of a sales assistant in our new shopVacancy onlineWe have a need in a sales assistant in our new storeWe search for employeesWe invite you to try yourself in our companyWe invite you to try yourself as a professional in our companyWe invite you to try yourselfWe invite you to tryWe invite you to join our united teamWe invite you to join our united qualified teamWe invite youOur company offers you to join our close knit qualified team\Our company offers an interesting positionNew vacancy in our teamNew vacancy in our professional teamJoin our united teamA great chance to join our professional teamA position in our company is availableA position in our united qualified team is waiting for you
The link in the message body points to a dodgy job website where the victim's
name and email address are required for the hiring process. We tested signing-up
by using fake names and emails, but we never received a reply. Most likely, the
email entered are collected by spammers.
Trustwave Secure Email Gateway protects our customers from this spam campaign.
Conclusion:
The Gamut botnet was designed purely to send spam. It has a very simple command
and control infrastructure as well as spamming engine. We brought this bot into
focus because simple botnets like Gamut sometimes fall under the radar.
Currently, it attributes to less than 5% of total spam volume. This spam botnet
however appears to be building and has a capability to send massive amounts of
spam.
RELATED SPIDERLABS BLOGS
DEVELOPMENT OF THE UKRAINIAN CYBER COUNTER-OFFENSIVE
SpiderLabs Blog
DENIAL OF SERVICE AND RCE IN OPENSSL 3.0 (CVE-2022-3786 AND CVE-2022-3602)
SpiderLabs Blog
INSTA-PHISH-A-GRAM
SpiderLabs Blog
STAY INFORMED
Sign up to receive the latest security news and trends from Trustwave.
Subscribe
English German (Deutsche) Japanese (日本語)
* Leadership Team
* Our History
* News Releases
* Media Coverage
* Careers
* Global Locations
* Awards & Accolades
* Trials & Evaluations
* Contact
* Support
* Security Advisories
* Software Updates
* Legal
* Terms of Use
* Privacy Policy
* Copyright © 2022 Trustwave Holdings, Inc. All rights reserved.
Loading
HELP US STOP THE ROBOT UPRISING
This is a bot-free zone. Please check the box to let us know you're human.
THANK YOU
Download Now
--------------------------------------------------------------------------------
Read complimentary reports and insightful stories in the
Trustwave Resource Center
THANK YOU
One of our sales specialists will be in touch shortly.
--------------------------------------------------------------------------------
Read complimentary reports and insightful stories in the
Trustwave Resource Center