Cutwail

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Snow, Lore, and Dave to obfuscate its activities. Over the past year, we have observed an increase in crypted Gozi payloads, most often distributed via the LDR4 and Cutwail botnets. Furthermore, the malware has been linked to ITG23-related attacks involving Bumblebee, IcedID, CobaltStrike, Qakbot, and Pikabot. In 2023, a correlation was noted between the Dave and Forest crypters and the Pushdo downloader, which is tied to the Cutwail botnet. This association suggests a close relationship between the actors behind these threats. The Cutwail botnet was also likely responsible for distributing a Hexa-crypted IcedID loader, according to our analysis of the distribution emails. Additionally, Cutwail's involvement in spam campaigns, particularly those related to the old Dyre crew, indicates its continued use for malevolent purposes. The Cutwail malware was highlighted in the 2014 book "Spam Nation" as one of the global malware contagions controlled by cybercriminals operating from Spamdot. Other notable botnets mentioned include Rustock, Mega-D, Festi, Waledac, and Grum. Recently, there has been a push to rebuild the Cutwail botnet, presumably in preparation for future spam runs. This evidence underscores Cutwail's persistent threat in the cybersecurity landscape.
What's your take? (Question 1 of 3)
8c02801d-9648-45df-a61a-0379db0aff7c Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Pushdo
2
Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks.
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Spam
Botnet
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cutwail Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
MITRE
a year ago
TrickBot: We Missed you, Dyre
Krebs on Security
5 months ago
Meet Ika & Sal: The Bulletproof Hosting Duo from Hell
CERT-EU
5 months ago
Meet Ika & Sal: The Bulletproof Hosting Duo from Hell
CERT-EU
5 months ago
The Bulletproof Hosting Duo from Hell – Krebs on Security | #cybercrime | #infosec | National Cyber Security Consulting
MITRE
a year ago
Stopping Serial Killer: Catching the Next Strike - Check Point Research
CERT-EU
5 months ago
Meet Ika & Sal: The Bulletproof Hosting Duo from Hell – GIXtools