When Hackers Leak Data: Trik Spam Botnet, 2018

📅 May 20, 2021

⏱️2 min read

In June 2018, a threat intelligence analyst from Vertek Corporation unearthed a huge database. It contained 43 million email addresses. The analyst discovered the leak on a server of what’s known as the Trik spam botnet.

A botnet is a network of computers that contain viruses and are controlled remotely by hackers. Imagine, if you will, a network of these zombie computers. In this instance, computers were infected with the Trik trojan. This virus is infamously related to bank account takeovers and numerous malware campaigns. Once a computer is infected, other malware can be easily downloaded onto it.

Vertek was researching a malware campaign in which computers infected with Trik were then further infected with ‘GandCrab 3’ ransomware.

Users of affected computers received a message saying that their files had been encrypted. The hackers informed them that to decrypt their files they would have to pay $2200 in cryptocurrency. If they didn’t pay up within a matter of days, the ransom price doubled.

The cybercriminals behind this campaign appeared to be downloading malicious files from a server on a Russian IP address. Hackers made their content available to anyone who could directly access their IP address. This is how the Vertek researcher discovered the leak.

The Vertek analyst who discovered the data leak believes that the hackers were contracted by other cybercriminals. They were using the list of 43 million email addresses for other malware campaigns.

Curiously, the majority of the emails on the list are from old email services like AOL, MSN, and Yahoo. What’s even more strange is that there are very few Gmail addresses. Could this mean that the hackers were targeting people using old email services? Or is it that the list is incomplete. Either scenario is possible.

Where did the hackers get the data from? Vertek worked with Troy Hunt of HaveIBeenPwned to see if any of the database correlated with previous breaches. They found that roughly 10% (4 million) emails were completely new and had not been previously recorded.

If you know someone who still uses their old email account, you might want to do them the favour of running their email through HaveIBeenPwned to check that they haven’t fallen victim to the Trik Spam Botnet. Think about older relatives and friends. Let’s help protect each other.