Cutwail

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Snow, Lore, and Dave to obfuscate its activities. Over the past year, we have observed an increase in crypted Gozi payloads, most often distributed via the LDR4 and Cutwail botnets. Furthermore, the malware has been linked to ITG23-related attacks involving Bumblebee, IcedID, CobaltStrike, Qakbot, and Pikabot. In 2023, a correlation was noted between the Dave and Forest crypters and the Pushdo downloader, which is tied to the Cutwail botnet. This association suggests a close relationship between the actors behind these threats. The Cutwail botnet was also likely responsible for distributing a Hexa-crypted IcedID loader, according to our analysis of the distribution emails. Additionally, Cutwail's involvement in spam campaigns, particularly those related to the old Dyre crew, indicates its continued use for malevolent purposes. The Cutwail malware was highlighted in the 2014 book "Spam Nation" as one of the global malware contagions controlled by cybercriminals operating from Spamdot. Other notable botnets mentioned include Rustock, Mega-D, Festi, Waledac, and Grum. Recently, there has been a push to rebuild the Cutwail botnet, presumably in preparation for future spam runs. This evidence underscores Cutwail's persistent threat in the cybersecurity landscape.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Pushdo	2	Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks.
Trickloader	1	TrickLoader is a malicious software (malware) that exploits and damages computer systems, often infiltrating through suspicious downloads, emails, or websites. It is designed to steal personal information, disrupt operations, or hold data hostage for ransom. Upon initial inspection of TrickLoader, i

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Spam

Botnet

Bot

Crypter

Loader

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
QakBot	Unspecified	1	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Pikabot	Unspecified	1	PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
Gozi	Unspecified	1	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
IcedID	Unspecified	1	IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Dridex	Unspecified	1	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Dyre	Unspecified	1	Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These i
Forest	Unspecified	1	Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
ANDROMEDA	Unspecified	1	Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho
Bumblebee	Unspecified	1	Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
Cobaltstrike	Unspecified	1	CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Cutwail Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	7 months ago	Meet Ika & Sal: The Bulletproof Hosting Duo from Hell
CERT-EU	7 months ago	The Bulletproof Hosting Duo from Hell – Krebs on Security \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	7 months ago	Meet Ika & Sal: The Bulletproof Hosting Duo from Hell – GIXtools
Krebs on Security	7 months ago	Meet Ika & Sal: The Bulletproof Hosting Duo from Hell
MITRE	a year ago	TrickBot: We Missed you, Dyre
MITRE	a year ago	Stopping Serial Killer: Catching the Next Strike - Check Point Research
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?