KELIHOS Spambot Infection Causes Salad Spam Surge

 Analysis by: Fjordan Allego

We spotted an increase in salad spam. The spam run has an email body consisting of two to three sentences of excerpts from various articles online. The subject also contains a sentence copied from a source to pass it as a normal email and bypass spam filters. While the mail doesn’t have any malicious attachments or links embedded on it, recipients may find it annoying getting multiple mails of the same format.

This recent spam outbreak used an older technique where spammers leverage salad words to completely bypass spam filters. In order to make it easier for them to spread it (spam), they also employed sender IPs that are infected with KELIHOS spambot. KELIHOS is known for spamming and bitcoin theft routines. In the past, we also reported a spike in salad spam that made use of Wikipedia articles to lure users into thinking that it is legitimate.

Unlike other salad spam variants where mails are encoded in HTML format, this new wave of salad spam is written in plain text. It’s also notable that both usernames of the From (sender) and To (recipient) fields carry the same name and only differ on the domain part. Trend Micro continuously monitors this attack. Users are advised to install a security solution that can detect spam and prevent the download of any possible malicious files that may come with it.

 SPAM BLOCKING DATE / TIME: August 27, 2014 GMT-8
 TMASE INFO
  • ENGINE:7.5
  • PATTERN:0910

Related Blog Entries