PCPJack Exploits Cloud Servers to Build Covert SMTP Relay Network
In a sophisticated cyber intrusion, the threat actor known as PCPJack has commandeered cloud servers from major providers—including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure—to establish a clandestine SMTP email relay network. This operation has transformed compromised servers across the United States, Europe, and Asia into unauthorized email proxies, facilitating potentially malicious activities.
Hunt.io, a threat intelligence firm, uncovered this extensive network after identifying two unsecured directories on a command-and-control (C2) server (IP address: 213.136.80[.]73). These directories contained a wealth of information, including source code, compiled binaries, deployment logs, internet scanning tools, exploitation scripts, and an active configuration for Sliver—a known adversary simulation framework.
The discovery of these open directories provided a rare glimpse into the operational mechanics of PCPJack. The threat actor’s toolkit was found to include the Sliver-integrated SMTP proxy deployment framework, along with Chisel tunneling and proxy binaries compatible with various Linux architectures such as AMD64, ARM64, and x86. On compromised systems, these binaries were discreetly installed as hidden files (e.g., /var/tmp/.xs) to evade detection.
Deployment scripts within the directories were designed to load the Sliver C2 client configuration and filter for Linux beacons—malicious implants that periodically communicate with the C2 server. Each beacon was assigned a SOCKS5 proxy port, determined by an MD5 hash of its unique Sliver identifier, ensuring consistent port assignments across sessions. This method streamlined the management of multiple proxies without the need for a centralized port registry.
An initial quality control measure was implemented to verify each compromised host’s ability to relay emails by testing outbound connections to smtp.gmail[.]com:587. Hosts failing this test were excluded from the proxy network. However, subsequent versions of the deployment scripts removed this verification step and the batching logic, indicating an evolution in the threat actor’s tactics.
Further analysis revealed a diagnostic script that selected active beacons to execute commands checking for:
– Presence of Chisel binaries at known locations
– Active Chisel processes
– Available disk space
– Connectivity to port 9000 on the C2 server
– Existence of persistence mechanisms, such as cron jobs or systemd services
Additionally, the C2 server operated a Python script named chisel_verifier.py, running continuously to monitor active Chisel tunnel ports. Every 60 seconds, it enumerated these ports, tested each for SMTP functionality, and removed any non-functional or dropped tunnels from the active pool. Verified proxies were enriched with data such as exit IP address, country, and Autonomous System Number (ASN) using services like api.ipify[.]org and ip-api[.]com. The updated proxy lists were synchronized every five minutes via Secure Copy Protocol (SCP) to a downstream server at 38.242.204[.].
The implications of this covert SMTP relay network are significant. By leveraging compromised cloud servers, PCPJack can disseminate spam, phishing emails, or other malicious communications while obfuscating their origin. This not only undermines the integrity of the affected cloud services but also poses substantial risks to recipients of these emails, who may be more likely to trust messages originating from reputable cloud providers.
This incident underscores the critical importance of robust security practices in cloud environments. Organizations must implement stringent access controls, regularly audit their systems for vulnerabilities, and ensure that all directories and services are properly secured to prevent unauthorized access. Additionally, monitoring for unusual network activity can help detect and mitigate such intrusions before they escalate.
As cyber threats continue to evolve, staying vigilant and proactive in securing cloud infrastructure is paramount. The PCPJack operation serves as a stark reminder of the sophisticated methods employed by threat actors to exploit misconfigurations and vulnerabilities in cloud environments for malicious purposes.
