Proofpoint specialists discovered that the Brain Food spam botnet is using over 5,000 compromised websites to redirect users to pages promoting diets and intelligence enhancing pills.
For the first time, a botnet, or rather malicious campaigns associated with it, were noticed back in March 2017, but only now Proofpoint specialists have revealed the full picture of what is happening.
Researchers say that Brain Food operators compromise sites running various CMS, including WordPress and Joomla. At the same time, experts do not believe that attackers exploit any specific vulnerabilities in content management systems.
Hackers leave behind a polymorphic and obfuscated PHP script that contains several layers of base64 protection after being on hacked sites. In addition, it is protected from Google indexing. Upon request from botnet operators, this script can execute any commands, in essence, representing a full-fledged backdoor. However, its main purpose is to redirect users to specific pages as part of spam campaigns.
The fact is that Brain Food operators send spam emails containing shortened links pointing to PHP scripts on hacked sites. If the victim clicks on such a link, the script redirects them to another compromised site where the attackers have posted web pages promoting intelligence pills (usually using fake branding) or various diets.
Proofpoint experts write that scripts are able to receive from Brain Food operators new addresses for such redirects, depending on which spam campaign is currently active. In addition, the scripts collect click statistics for each attacker campaign.
Researchers have found infection in more than 5,000 sites, mostly located in the GoDaddy network. Over 2,400 of these resources are reported to have been active in the past week.