Verint’s research team has recently discovered a new and unknown version of the Torte botnet malware. Christened SpamTorte 2.0, it is a powerful, multi-layered Spambot (Spam Botnet) that is capable of running large scale, efficient spam campaigns while cleverly masking itself to avoid detection. It’s worth noting that the initial detection was exclusively detected by the Verint TPS C&C Detection engine.

In this blog post, we’ll review some key highlights of the advanced SpamTorte botnet, which includes multiple C&C servers compromised due to vulnerable Joomla / WordPress extensions, use of thousands of spam mailers and updates to both the size and cookie structure of the malware itself

Background

Why Should You Care About Botnets?

A ‘botnet’ is a network of compromised computers (bots) that have been infected by malware and are under the control of an attacker. The botnet is abused by the attacker in order to perform various malicious activities such as executing Distributed Denial of Service attacks (DDoS), managing spam campaigns and distributing malware.

Botnets are managed by the bot master (or bot herder) by utilizing a Command & Control (C&C) server, which enables sending remote instructions to the bots (for example, which emails should be sent, when and to whom), keep track of their activities and receive reports from them (mainly statistics on bot activities).

The Original SpamTorte – One of the largest ongoing Spambot Attacks

SpamTorte is a Spambot that has been around since 2014 and has been growing and evolving ever since. It is a multi-layered, decentralized, and widely distributed botnet that attackers have used to launch coordinated brute-force spamming campaigns. It was originally named “Torte” due to its structure resembling a multi-layered cake.

How SpamTorte has evolved, What it’s doing and the Danger it’s causing

In our detailed report we’ll cover our findings on SpamTorte spambot and the way it has evolved.

  • Based on our findings SpamTorte 2.0 spambot seems to be the third evolutionary stage of the original Torte Botnet discovered in 2014. This latest version has grown in both size and complexity.
  • It seems that the threat actors have made multiple changes to enable more efficient malware campaigns – the attacks can be better orchestrated and more bots can be managed simultaneously.
  • The group behind this operation has thousands of compromised Mailer bot servers (compromised websites) which distribute spam messages. Each distribute a different piece of the spam message (email address, email content and the Mailer URL).

This post shows the size of this ongoing spam operation that is definitely worth taking notice of and understanding.

The fact that this is such a widespread operation that is employing more advanced techniques both to hide itself and to cause damage is just another example of the ongoing evolution of the cyber landscape.

Download the full report