ETDA ThaiCERT
Report
Search
Home > List all groups > Narwhal Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Narwhal Spider

NamesNarwhal Spider (CrowdStrike)
Country[Unknown]
MotivationFinancial gain
First seen2007
Description(CrowdStrike) CrowdStrike Falcon Intelligence has observed a new Cutwail spam campaign from NARWHAL SPIDER on 24 October 2018. NARWHAL SPIDER is the adversary name designated by Falcon Intelligence for the criminal operator of Cutwail version 2. NARWHAL SPIDER primarily provides spam services with a large customer base that has included malware operators such as Wizard Spider, Gold Blackburn (developer of TrickBot), affiliates of BAMBOO SPIDER (developer of Panda Zeus), and many others including URLZone, Nymaim and Gozi ISFB. The targets and payloads delivered through Cutwail spam campaigns are determined by the customers of NARWHAL SPIDER.

Cutwail has been observed to distribute Dyre (Wizard Spider, Gold Blackburn), Zeus Panda (Bamboo Spider, TA544) and much of the malware from TA505, Graceful Spider, Gold Evergreen.
ObservedCountries: Worldwide.
Tools usedCutwail.
Operations performedAug 2011Cutwail botnet resurfaces in major Facebook scam-paign
<https://www.infosecurity-magazine.com/news/cutwail-botnet-resurfaces-in-major-facebook-scam/>
Oct 2013Without the Blackhole exploit kit around to inject malware such as the Zeus Trojan, keepers of the Cutwail spam bot have been forced to resort to some old-school methods of sending malware such as direct email attachments.
<https://threatpost.com/cutwail-botnet-feeling-effects-of-blackhole-takedown/103228/>
<https://www.secureworks.com/blog/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit>
Oct 2018The Japanese-language spam campaign uses a mixture of malicious PowerShell (PS) and steganography — a method of sending data in a concealed format — to distribute the eCrime malware family URLZone (a.k.a. Bebloh).
<https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/>
Counter operationsAug 2010Security researchers have dealt a mighty blow to a spam botnet known as Pushdo, a massive grouping of hacked PCs that until recently was responsible for sending more than 10 percent of all junk e-mail worldwide.
<https://krebsonsecurity.com/2010/08/researchers-kneecap-pushdo-spam-botnet/>
Information<https://blog.malwaremustdie.org/2013/05/a-story-of-spambot-trojan-via-fake.html>
<https://blog.avast.com/2013/06/25/15507/>
<https://en.wikipedia.org/wiki/Cutwail_botnet>

Last change to this card: 15 May 2020

Download this actor card in PDF or JSON format

Previous: Mummy Spider, TA542
Next: OldGremlin

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key