Security researchers have identified a new, growing botnet dubbed Brain Food that is powered by thousands of compromised web servers. Proofpoint researchers say the botnet is named after the fake diet and intelligence boosting pills it helps sell that are used to disguise call to action URLs in spam emails.
Researchers said they have identified the Brain Food PHP script on over 5,000 compromised websites over the past four months, nearly 40% of which were hosted on five popular platforms such as GoDaddy, Unified Layer CyrusOne, OVH and Dreamhost.
The malicious URL is primarily spread via simple, but malicious emails with no subject and a basic personalized greeting. The email contains a Google-shortened URL that leads to a landing page that advertises the fake diet and intelligence boosting pills.
These ads often featured stolen branding and claimed the product has been featured on popular TV shows such as Shark Tank to feign legitimacy and dupe victims. The image shows one example of a popular TV show’s branding stolen and used as final landing page advertisement in this campaign:
Image credit: Proofpoint
Further analysis revealed the script contains multiple layers of base64 encoding to avoid detection by security researchers and search engine crawlers. A recent version of the botnet malware uploaded to a malware repository was not detected by any antivirus engine, researchers said.
The botnet’s operators can continuously monitor the malware’s statistics and actions via a remote C&C server, allowing them to easily switch the botnet to new landing pages or blacklist new URL’s simultaneously and flexibly. Researchers said the two script samples examined led to one of two C&C servers.
“There is also a backdoor in the code that allows remote execution of shell code on web servers which are configured to allow the PHP 'system' command,” researchers noted. “The Brain Food botnet demonstrates a high degree of flexibility and sophistication, as operators can quickly shift landing pages and URL shorteners while flying under the radar of defenders and search engines. As always, good email hygiene and gateway or ISP-level protections are critical layers of defense against this type of fraud.”