WordyThief: A Malicious Spammer

Abstract

We detail the tradecraft used to discover and exploit a prolific Russian-affiliated malicious spam actor. To the best of our knowledge, this paper is the first description of the actor, whom we call WordyThief, and the first publication demonstrating the application of graph techniques to the identification of malicious spam campaigns. This work contributes to the threat intelligence community both as a technique that can be utilized in daily practice, and as a thorough account of WordyThief, who continues to spread malware in October 2020. We initially discovered isolated malware campaigns using large-scale bipartite graphs created from email metadata. These graphs and related campaign specifics revealed the use of domain names within the spammer’s infrastructure devised through dictionary domain generation algorithms (DDGAs). Using a second graph-based technique and time series analysis, we recovered the underlying dictionaries and temporal behavior of the actor. A retrospective review of spam collection and correlation with other Domain Name System (DNS) information led us to conclude that the campaigns were all the work of a single actor. We tracked their activity and substantiated our methods retrospectively, through December 2019. We also leveraged open source intelligence (OSINT) to verify our findings. We found that WordyThief operates a large spam infrastructure and distributes malware that steals personal and financial information from victims. This paper includes not only the scientific methods used to detect the actor, but also detailed descriptions and analyses of several elements of their tactics, techniques, and procedures (TTP). We include an analysis of the actor’s tendency to use of aged domains, a text analysis of their emails, use of embedded IP tracking in their campaigns, harvesting of open source images, and an exposition of their evolving exploitation techniques.