Spam Campaign Abuses PHP Functions for Persistence, Uses Compromised Devices for Evasion and Intrusion
released on 2019-09-05 @ 07:29:16 PM
One of our honeypots detected a spam campaign that uses compromised devices to attack vulnerable web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to web servers. The script sends an email with an embedded link to a scam site to specific email addresses.