2014-01-19 - RECENT COURT-RELATED ASPROX BOTNET PHISHING EMAILS

ASSOCIATED FILES:

 

NOTES:

What can be said about the Asprox botnet that hasn't already been discussed?

For this blog entry, I'm covering the Asprox court-related emails with ZIP attachments that started on 23 Dec 2013.

Properly implemented spam filtering should catch any Asprox-related attachments; however, you should also monitor what's being blocked.  Criminal operations like this tend to evolve over time.

Let's review two samples from this past week...

 

WEDNESDAY  2014-01-15

Date:  2014-01-15
Spoofed email sender ends with:  @gtlaw.com
Subject lines start with:

EMAIL EXAMPLE:

From: Notice to Appear <service.489@gtlaw.com>
Date: Wednesday, January 15, 2014 1:54 PM CST
Subject: Notice to appear in court N#1019-846

Notice to Appear,

Hereby you are notified that you have been scheduled to appear for your hearing that
will take place in the court of New York in January 21, 2014 at 10:00 am.

Please bring all documents and witnesses relating to this case with you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Yours truly,
Donna Mason
Clerk to the Court.

Attachment: Court_Notice_NY_15_01_2014_Copy_514.zip (200.2 KB)

 

MALWARE:

Extracted executable file name:  Court_Notice_New_York_15_01_2014_copy.exe
File size:  236.5 KB ( 242176 bytes )
MD5 hash:  9f4cebaf343cd94b1e45cbb902a16d1f
Detection ratio:  34 / 48
First submission:  2014-01-15 16:25:16 GMT
VirusTotal link: https://www.virustotal.com/en/file/b947f0ec017c0565aaf3203ba0fcea66957ea908bb10feecc66050275e9db97b/analysis/
Malwr analysis:  https://malwr.com/analysis/ZmIzYjQ0YzE0ZmZiNGNlZmI3NThjNzVjMmNjNDg1NDM/

 

FRIDAY  2014-01-17

Date:  2014-01-17
Spoofed email sender ends with:  @cgsh.com
Subject lines start with:

EMAIL EXAMPLE:

From: Court hearing notice <support.4@cgsh.com>
Date: Friday, January 17, 2014 4:18 PM CST
Subject: Pretrial notice No8516

Court hearing notice.

As a defendant you have been scheduled
to attend the hearing in the Court of New York.
Hearing date: 28 January 2014
Hearing time: 9:00 a.m.

Hearing subject: illegal use of software.
Prior to the court thoroughly study the plaint note in the attachment to this mail.


Sincerely,
Court agent,
Lily Smith

Attachment: Plaint_Note_US_Copy_N0213.zip (201.4 KB)

 

MALWARE:

Extracted file name:  Plaint_Note_17_01_2014US_Copy_Document.exe
File size:  236.5 KB ( 242176 bytes )
MD5 hash:  960a0b9ef72c33a0df913564c99f07ec
Detection ratio:  29 / 48
First submission:  2014-01-17 20:47:57 GMT
VirusTotal link: https://www.virustotal.com/en/file/42f7ae44c8017ba46536593a659aa8262ccd95a4424ea1e798e63530b697bb7f/analysis/
Malwr analysis:  https://malwr.com/analysis/NzEyOTk4NjkyNzE2NGVkMWJlYTI3YzBmNDAwM2EwM2M/

 

TRAFFIC FROM AN INFECTED HOST

I took the malware from Friday the 17th and executed it on a physical host.  The physical host was running an unpatched version of Windows 7 SP 1.  After a few minutes, I saw 3 suspicious artifacts from the traffic:

 

With Security Onion monitoring the infected physical host, the following alerts that triggered on Sguil:

The first event is just a notification for a new asset on the network.  It shows Firefox 25; however, the physical host infected with this malware does not have Firefox installed.  that's the Asprox malware speaking.

The second event is an EmergingThreats signature covering callback traffic from this Asprox malware.

The last three events were caused by a fake Java update downloaded by the infected host.

 

MALWARE-RELATED TRAFFIC SEEN ON THE PHYSICAL HOST:

I also noted this in the traffic which might be related:

ASSOCIATED DOMAINS:

 

First suspicious HTTP request--possibly a malware binary:

 

Second suspicious HTTP request--returned malware binary that showed up as a fake Java update:

 

Third suspicious HTTP request--probably a malware binary:

 

DROPPED FILES

The PCAP shows an executable being sent being sent as exe.exe (see the image above for second suspicious HTTP request), and on the physical host, it showed up as a fake Java update and asked if you wanted to execute the program.  Here's the summary for that piece of malware:

File names:  Java_Update_139b0409.exe
File size:  154.8 KB ( 158521 bytes )
MD5 hash:  19985476c30f7d00d47abf2569bd6229
Detection ratio:  1 / 48
First submission:  2014-01-19 15:11:10 GMT
VirusTotal link: https://www.virustotal.com/en/file/83b4095113e74ddd40c129d87415a240157b0d0f888e8df156d955c0f1713d80/analysis/
Malwr analysis:  https://malwr.com/analysis/M2IyYmMzMTdiNWQ3NGUxZjkwMGVjZDY0ZGY5OWZlOTc/

 

I also noticed two dropped EXE files on the infected host:

File name:  eetbgffs.exe
File size:  79.8 KB ( 81721 bytes )
MD5 hash:  7940e3f197d448cf86ff7ccd6ac7c509
Detection ratio:  8 / 48
First submission:  2014-01-19 18:16:37 GMT
VirusTotal link: https://www.virustotal.com/en/file/2625676a0b33b5e6798763d7cab0317b180f168b25faf522f3bc01e87476df4e/analysis/
Malwr analysis:  https://malwr.com/analysis/OTdlNTQ5YWFjYzEzNDFkYTliMmFlYzJhNzYxZjliNTU/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.