Security researchers have reportedly discovered the leaky server of a spam botnet that has been leaking over 43 million email addresses. The hackers operating the command and control server of the botnet have reportedly misconfigured the server, allowing anyone with access to the IP address to view the content.
The leak was discovered by a Vertek Corporation security researcher who uncovered the spam botnet’s server while investigating a malware campaign. The campaign involved hackers infecting users with the Trik trojan and the GrandCrab ransomware, Bleeping Computer reported.
According to security researchers at Proofpoint, the Trik botnet has been active for over a decade, yet has flown under the radar. Although the botnet is not considered to be overly sophisticated or complex, it has been leveraged by various threat actors to launch numerous campaigns.
“Malware families associated with recent Trik activity include GandCrab, Pushdo (which in turn downloads Cutwail), Pony, Trik updates, and various coin miners,” Proofpoint researchers wrote in a blog. “Some of these, like coin miners, are not distributed by Trik in spam but are, instead, sent to the hosts infected with Trik and executed, likely for improved monetization of the botnet for the operator.”
“Taking a single day as an example, on May 9 we observed instructions to download and distribute GandCrab, Pony, Pushdo, and multiple coin miners being sent to the botnet.”
According to the Vertek researcher, the server that served up GrandCrab and Trik was located on a Russian IP address. However, it is unclear whether the operators of the botnet are Russian or from somewhere else. Over 20,000 email addresses and around 2201 text files were found.
The researcher also believes that the server’s operators are using these lists to provide malware services to other cybercriminals.
"We pulled all of them to validate that they are unique and legitimate," the researcher told Bleeping Computer. "Out of 44,020,000 potential addresses, 43,555,741 are unique. The email addresses are from everywhere. There were 4.6 million unique email domains. Everything from .gov to .com, and domain of several private businesses."
Researchers believe that although Trik is decades old, it is still a powerful botnet that is currently being used by cybercriminals to deploy various kinds of malware.
“Many different malware families have been being distributed by Trik and this activity appears to be ramping up with multiple daily campaigns,” Proofpoint researchers noted.