New malspam campaign exploits DNS records to target victims

• The spam campaign, which specifically targeted UK users, relied on DNS TXT records and redirected users to a fraudulent trading site.
• IP addresses associated with the campaign are likely linked with Necurs botnet.

A new malspam campaign targeting UK users has been spotted in the wild. MyOnlineSecurity.com which came across a number of spam emails related to this campaign found that the scammers attempted on compromising DNS in their methods. The spam emails contain HTML attachments which upon clicking redirects users to a fraudulent trading site.

Key highlights

• The campaign specifically targets users in the UK. As stated by MyOnlineSecurity.com, the fraudulent site https://appteslerapp[.]com was reported to work for users only in the UK. Users outside the UK had a blank page or a ‘loading’ page.
• The spam emails used in the campaign were from IP addresses which were earlier used by Necurs botnet.
• The malicious HTML attachments contained a base64 encoded URL to call a Google DNS service in order to look for a domain. Analyzing further, it was a DNS TXT record that tells the HTML attachment to redirect users to the fraud site.
• Domains used in the campaign resolve to a single domain hosted by a Ukrainian company called AS48031.

Worth noting

MyOnlineSecurity also observed that the attackers extensively used domains ending with .icu.

“All the icu domains were recently registered over the last month or so using namecheap who have their usual less than $2 special offer sale, so making it extremely easy for the criminals to buy hundreds of the domains,” MyOnlineSecurity reported.