A new botnet called StealRat relies on two hijacked websites and one compromised machine to send out spam.
The infected machine will connect the spam server to the website that’s responsible for sending the spam, said researchers at Trend Micro.
The malware victim gathers spam data such as backup mail server, sender name, recipient address and email template from the spam server. The information forwards to the compromised site, which can construct the email and send it out to users.
The emails sent out by the first compromised site contain links to the second compromised site that serves the payload (an adult website or a rogue pharmacy).
This way, since there’s no direct connection between the spam server and the spam, it will appear as if the email came from the infected machine.
“The spam mail itself does not spread the malware, so there is no visible link between the two as well. In essence, they have separated the core functions and minimized interactions among them to cut-off any threads that could link them to each other,” said Trend Micro threat response engineer, Jessa De La Torre.
During the course of its investigation, Trend Micro identified 85,000 unique IP addresses and domains used to send out the spam emails over a one-month period. Each of these domains contain an average of two spamming scripts.
At least 8.640 spam data records are go out each day from the infected machine. The spammers are currently rotating around 7 million email addresses.