Cutwail

Cutwail is a prolific spam botnet, also known as Pushdo and Pandex. The content describes it as one of the world’s most active spam botnets and states that after the Rustock takedown it became the top spam botnet, with M86 Security estimating that versions of Cutwail were responsible for about 22 percent of daily global spam volume. Its alleged principal developer and renter is identified by the handle “Google.” The botnet was used extensively for bulk spam operations and was rented to other spammers, including members of the SpamIt rogue pharmacy affiliate ecosystem. The content states that Google rented Cutwail to SpamIt members and earned substantial revenue both from SpamIt commissions and from renting the botnet. Cutwail’s spam engine was known on spam forums as 0bulk Psyche Evolution, and clients were provided a web interface in Russian or English to create and manage spam campaigns. According to the content, Cutwail evolved from pharmacy spam, stock spam, and OEM software spam into a major malware delivery platform. It was used to distribute malicious attachments carrying ZeuS and SpyEye variants, and by 2009 the JabberZeuS crew had hired Cutwail to distribute malicious emails used in cyber heists. Recent campaigns described in the content used lures involving airline ticket orders, ACH payments, Facebook notifications, scanned documents, and geographically tailored ransomware emails spoofing national law enforcement agencies. The content also states that Waledac malware was recently sent from the Cutwail botnet. The content links Cutwail operationally and financially to SpamIt and attributes operation of the botnet to the actor using the alias “Google.” It also mentions an associate using the handle “Eagle,” described as the technical director in Google’s operation.