Cutwail drives spike in malicious HTML attachment spam

Revision as of 21:57, 5 August 2015 by Eric.freyssinet (talk | contribs) (Text replacement - "" to "")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Cutwail drives spike in malicious HTML attachment spam
Botnet Cutwail
Malware Cridex
Botnet/malware group
Exploit kits Phoenix
Distribution vector
Operation/Working group
Date 2012 / February 16th, 2012
Editor/Conference M86 Security Labs
Link (Archive copy)
Author Rodel Mendrez


Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:

Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago: In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR901,
   editor = {M86 Security Labs},
   author = {Rodel Mendrez},
   title = {Cutwail drives spike in malicious HTML attachment spam},
   date = {16},
   month = Feb,
   year = {2012},
   howpublished = {\url{}},