A spam campaign called Brain Food has been feeding email recipients a steady diet of junk messages containing links to pages promoting bogus intelligence-boosting supplements and diet pills. And for the last four months, the PHP-based botnet malware behind the operation has been observed by researchers on more than 5,000 compromised websites using various content management systems and hosting companies.
According to a Proofpoint blog post published late last week, Brain Food is "usually the second step in a chain of redirections" that begins with a goo.gl or bit.ly URL shortener link. Victims are ultimately sent to a landing page that often contains stolen branding and falsely claims the product appeared on Shark Tank.
Proofpoint reports that the PHP script hides from antivirus products, researchers and search engine crawlers using cloaking code polymorphic code, and obfuscation. "When crawled, the script redirects to the correct page, delays five seconds and redirects to the root of the compromised domain, delays and returns nothing, or redirects to the Unicef website," the blog post states, noting that the botnet's operators are actively monitor how the script's activity, and can switch to new landing pages to blacklist new URLs as needed in order to stay under the radar.
Additionally, says Proofpoint, there is backdoor in the code that enables "remote execution of shell code on web servers which are configured to allow the PHP 'system' command."