Overview
Proofpoint researchers have been tracking a botnet operating on thousands of compromised web servers this year. The botnet, dubbed Brain Food for the bogus diet and intelligence boosting pills it helps sell, is used to disguise call to action URLs in email spam.
Brain Food is a PHP script that we have found on over 5,000 compromised websites over the past four months. Over 2,400 of those have shown activity in the past 7 days. Nearly 40% of the compromised sites are hosted on five platforms (Figure 1). We have reached out to Go-Daddy on this and discussed ways of addressing the problem with them.
Figure 1: Top hosts of websites compromised with Brain Food
An individual website may contain multiple copies of the PHP script. We have observed this script installed on websites using different content management systems including WordPress and Joomla.
Brain Food is usually the second step in a chain of redirections, with the first being a URL shortener link in spam. In the past week, we have detected over 7,300 distinct URL shortener links used by this spammer, of which 55% were goo.gl links and 45% used bit.ly. As shown in Figure 2, this pattern has been consistent over time, except for a period of roughly two weeks in late April 2018. On April 13, Google stopped anonymous users from creating new goo.gl links, at which point the spammer switched most of their activity to bit.ly to maintain total spam volume. However, by the end of April, the spammer appears to have found a means of circumventing the Google restrictions and reverted to their previous split between the two URL shortener services (Figure 2).
Figure 2: URL shorteners used by the Brain Food spammer
The emails distributing these links are very simple with no subject and a basic personalized greeting (Figure 3):
Figure 3: Sample email distributing links to Brain Food redirects
The final landing pages currently advertise diet pills, although this same script was previously used to redirect to landing pages for a diet supplement claiming to increase intelligence. The landing pages typically feature stolen branding and claim the product has been featured on popular TV shows such as Shark Tank. Figure 4 shows one such landing page mimicking Entertainment Today:
Figure 4: Sample landing page with stolen branding
Analysis
The script has several layers of defense to avoid detection by researchers and search engine crawlers. The code is polymorphic and obfuscated with multiple layers of base64 encoding. A version recently uploaded to a malware repository was not flagged by any antivirus engine. When crawled, the script redirects to the correct page, delays five seconds and redirects to the root of the compromised domain, delays and returns nothing, or redirects to the Unicef website. Operators monitor statistics and actions via a remote command and control (C&C) server, allowing the whole botnet to switch to new landing pages or blacklist new URLs simultaneously. The script also features local cloaking code. For example, the script attempts to be invisible to Google:
========================
if(strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false) {
header('HTTP/1.0 404 Not Found');
exit;
}
========================
Each of the samples we examined used one of two C&C servers: prostodomen1[.]com and thptlienson[.]com on 91.236.116[.]14 and 145.239.1[.]13, respectively. Since we examined these samples, the spammers have begun using hostcommets[.]com and sentacomra[.]com on the same IP addresses. The first of these IPs is in an ASN that is apparently registered to a shell company in the Isle of Man, but the second is hosted at a major worldwide hosting company.
There is also a backdoor in the code that allows remote execution of shell code on web servers which are configured to allow the PHP 'system' command.
Conclusion
According to the US Federal Trade Commission, fake weight loss scams are the most common type of consumer fraud, accounting for hundreds of millions in direct losses each year. The Brain Food botnet demonstrates a high degree of flexibility and sophistication, as operators can quickly shift landing pages and URL shorteners while flying under the radar of defenders and search engines. As always, good email hygiene and gateway or ISP-level protections are critical layers of defense against this type of fraud.
Indicators of Compromise (IOCs)
IOC |
IOC Type |
Description |
thptlienson[.]com |
URL |
C&C |
hostcommets[.]com |
URL |
C&C |
sentacomra[.]com |
URL |
C&C |
91.236.116[.]14 |
IP |
C&C |
145.239.1[.]13 |
IP |
C&C |