Cutwail

Malware updated 2 months ago (2024-11-29T13:38:39.592Z)

Download STIX

Preview STIX

Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Snow, Lore, and Dave to obfuscate its activities. Over the past year, we have observed an increase in crypted Gozi payloads, most often distributed via the LDR4 and Cutwail botnets. Furthermore, the malware has been linked to ITG23-related attacks involving Bumblebee, IcedID, CobaltStrike, Qakbot, and Pikabot. In 2023, a correlation was noted between the Dave and Forest crypters and the Pushdo downloader, which is tied to the Cutwail botnet. This association suggests a close relationship between the actors behind these threats. The Cutwail botnet was also likely responsible for distributing a Hexa-crypted IcedID loader, according to our analysis of the distribution emails. Additionally, Cutwail's involvement in spam campaigns, particularly those related to the old Dyre crew, indicates its continued use for malevolent purposes. The Cutwail malware was highlighted in the 2014 book "Spam Nation" as one of the global malware contagions controlled by cybercriminals operating from Spamdot. Other notable botnets mentioned include Rustock, Mega-D, Festi, Waledac, and Grum. Recently, there has been a push to rebuild the Cutwail botnet, presumably in preparation for future spam runs. This evidence underscores Cutwail's persistent threat in the cybersecurity landscape.

Description last updated: 2024-05-05T02:13:12.905Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Pushdo is a possible alias for Cutwail. Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks.	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Spam

Botnet

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Cutwail Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Meet Ika & Sal: The Bulletproof Hosting Duo from Hell
CERT-EU	a year ago	The Bulletproof Hosting Duo from Hell – Krebs on Security \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	Meet Ika & Sal: The Bulletproof Hosting Duo from Hell – GIXtools
Krebs on Security	a year ago	Meet Ika & Sal: The Bulletproof Hosting Duo from Hell
MITRE	2 years ago	TrickBot: We Missed you, Dyre
MITRE	2 years ago	Stopping Serial Killer: Catching the Next Strike - Check Point Research
SecurityIntelligence.com	2 years ago	The Trickbot/Conti Crypters: Where Are They Now?