Narwhal Spider
Description
(CrowdStrike) CrowdStrike Falcon Intelligence has observed a new Cutwail spam campaign from NARWHAL SPIDER on 24 October 2018. NARWHAL SPIDER is the adversary name designated by Falcon Intelligence for the criminal operator of Cutwail version 2. NARWHAL SPIDER primarily provides spam services with a large customer base that has included malware operators such as Wizard Spider, Gold Blackburn (developer of TrickBot), affiliates of BAMBOO SPIDER (developer of Panda Zeus), and many others including URLZone, Nymaim and Gozi ISFB. The targets and payloads delivered through Cutwail spam campaigns are determined by the customers of NARWHAL SPIDER.
Cutwail has been observed to distribute Dyre (Wizard Spider, Gold Blackburn), Zeus Panda (Bamboo Spider, TA544) and much of the malware from TA505, Graceful Spider, Gold Evergreen.
Names
Name | Name-Giver |
---|---|
Narwhal Spider | CrowdStrike |
Gold Essex | SecureWorks |
Storm-0302 | Microsoft |
Country
Motivation
- Financial gain
First Seen
2007
Observed Countries
Tools
Operations
- 2011-08: Cutwail botnet resurfaces in major Facebook scam-paign https://www.infosecurity-magazine.com/news/cutwail-botnet-resurfaces-in-major-facebook-scam/
- 2013-10: Without the Blackhole exploit kit around to inject malware such as the Zeus Trojan, keepers of the Cutwail spam bot have been forced to resort to some old-school methods of sending malware such as direct email attachments. https://threatpost.com/cutwail-botnet-feeling-effects-of-blackhole-takedown/103228/ https://www.secureworks.com/blog/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit
- 2018-10: The Japanese-language spam campaign uses a mixture of malicious PowerShell (PS) and steganography — a method of sending data in a concealed format — to distribute the eCrime malware family URLZone (a.k.a. Bebloh). https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/
Counter Operations
- 2010-08: Security researchers have dealt a mighty blow to a spam botnet known as Pushdo, a massive grouping of hacked PCs that until recently was responsible for sending more than 10 percent of all junk e-mail worldwide. https://krebsonsecurity.com/2010/08/researchers-kneecap-pushdo-spam-botnet/
Information
- https://blog.malwaremustdie.org/2013/05/a-story-of-spambot-trojan-via-fake.html
- https://blog.avast.com/2013/06/25/15507/
- https://en.wikipedia.org/wiki/Cutwail_botnet
Other Information
Uuid
2b42c978-bc85-4aff-910d-b72e077b330f
Last Card Change
2025-06-28