Over 43 million email addresses have leaked from the command and control server of a spam botnet, a security researcher has told Bleeping Computer today.
The leaky server came to light while a threat intelligence analyst from Vertek Corporation, was looking into a recent malware campaign distributing a version of the Trik trojan, which was later infecting users with a second-stage payload —the GandCrab 3 ransomware.
The Vertek researcher discovered that Trik and GandCrab would download the malicious files that infected users' systems from an online server located on a Russian IP address.
The researcher told Bleeping Computer that the group behind this operation misconfigured its server and left its content accessible to anyone accessing the IP directly.
On this server, he discovered 2201 text files, labeled sequentially from 1.txt to 2201.txt containing chunks of roughly 20,000 email addresses, each.
The Vertek researcher believes the operators of this server have been using these recipient lists to service other crooks who contracted their services to distribute various malware strains via malspam campaigns.
"We pulled all of them to validate that they are unique and legitimate," the researcher told Bleeping Computer earlier today. "Out of 44,020,000 potential addresses, 43,555,741 are unique."
The researcher is now working with Australian security expert Troy Hunt, the owner of the Have I Been Pwned service, to determine how many of these emails are new and how many have been previously leaked in other data dumps.
"The email addresses are from everywhere," the researcher told us. " There were 4.6 million unique email domains. Everything from .gov to .com, and domain of several private businesses."
The Vertek researcher has analyzed the files and broke down the email addresses per domain. In a list the researcher shared with us earlier today (embedded at the bottom of this article), he points out that the vast majority of email addresses are old, from antiquated email services such as Yahoo (10.6 million) and AOL (8.3 million).
Surprisingly, while there are many custom email domains included in the leak, there are very few Gmail addresses included, suggesting the email addresses database is either incomplete, or this malware campaign intentionally targeted users using older email services.
The Trik trojan is a classic malware downloader. It infects computers and assembles them into a giant botnet. The botnet's operators use these computers to send out new spam campaigns, or they sell "install space" to other crooks, allowing them to deliver more pontent threats to Trik victims, similarly to how they rented install space to the GandCrab crew for the campaign Vertek stumbled on.
The Trik trojan has been an active threat for at least a decade but has recently seen a resurgence, according to this Proofpoint report.
In its earlier days, the malware operated primarily as a worm that self-spread via removable USB storage devices, Skype, or Windows Live Messenger chats. These worm-based variants had previously been tracked under the name of Phorpiex.
The malware evolved into a fully-fledged trojan years later, when it forked the codebase of the SDBot trojan and started using email spam as its main delivery & infection mechanism, while also switching to an IRC-controlled botnet architecture.
Trik is not the first spam botnet to leak its email addresses database. In August 2017, a spam operation known as Onliner leaked 711 million email addresses that it was using to spam users.
At the time of writing, the Trik C&C server that's leaking email addresses keeps going offline at intermittent intervals.
Top 100 email domains included in the leaked data: