2014-12-11 - ASPROX BOTNET PHISHING CAMPAIGN - SUBJECT: FACEBOOK PASSWORD CHANGE

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

Subject: Facebook password change
Date: Thu, 11 Dec 2014 12:43:19 UTC
From: Facebook <notification@gruasorion.com>
Reply-To: Facebook <notification@gruasorion.com>
To:

Facebook

Hi,

Your Facebook password was been reset on Thursday, December 11, 2014 at 12:42PM (UTC) due to suspicious activity of your account.

Operating system:  Windows
Browser:  Google Chrome
IP address:  [omitted]
Estimated location:  Proctor, OK, US

To restore the password complete this form please, your request will be considered within 24 hours.
Thanks,
The Facebook Security Team

Facebook, Inc., Attention: Department 425, PO Box 10005, Palo Alto, CA 94303

NOTE:  From what I can tell, Asprox uses random values for the OS, browser, IP, and estimated location.  I omitted the IP address above, because some people scrape these blog entries for malicious IP addresses.

 

VM INFECTION TRAFFIC

DOWNLOADING THE ASPROX ZIP FILE:

 

EXECUTING THE EXTRACTED MALWARE IN A VM:

 

CLICK FRAUD TRAFFIC FROM THE INFECTED VM BEGINS:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  FB_Password_Reset_Form.zip
File size:  89.4 KB ( 91532 bytes )
MD5 hash:  14e7aed0139942e33e9f072ed67ad455
Detection ratio:  7 / 49
First submission:  2014-12-11 18:15:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ea678b163e037bc7c6fcd8611908102ece6ee3d76709559d9330473edf1da220/analysis/

 

EXTRACTED MALWARE:

File name:  FB_Password_Reset_Form.exe
File size:  137.0 KB ( 140288 bytes )
MD5 hash:  d513bc67e078cd1bf8964e0abca63935
Detection ratio:  8 / 56
First submission:  2014-12-11 18:16:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6cc8cd11080b3784377f3340b2eb8243bb7ee3a2650dbf2d46367365c4352f9c/analysis/
Malwr link:  https://malwr.com/analysis/ZWVmNDc1YmIwNjEyNDAxOWFhZDZiMzBiM2M4N2I4NDM/

 

DROPPED MALWARE FROM INFECTED VM - RERDOM:

File name:  UpdateFlashPlayer_d93020a4.exe
File size:  203.4 KB ( 208264 bytes )
MD5 hash:  818c1fa464e63fb2e588c0e447cb2baf
Detection ratio:  6 / 56
First submission:  2014-12-11 17:38:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8b39a15f8a43ea17c77e3b535224ccb29632ec152bfc18e92c19984fd60107f8/analysis/
Malwr link:  https://malwr.com/analysis/ZDgwMzk2ZGFkNTVmNDlkY2EyMzNkZWM0YTU0ZGUyOWQ/
ZIP of pcap from Malwr's analysis:  2014-12-11-Asprox-dropped-malware-01.pcap.zip


Copy from the infected VM user's AppData\Local\Temp folder before it
deleted itself.

 

DROPPED MALWARE FROM INFECTED VM - SIMDA:

File name:  1563.tmp
File size:  640.0 KB ( 655360 bytes )
MD5 hash:  7a3d8b487b21ff7f63632964682dc9cb
Detection ratio:  7 / 56
First submission:  2014-12-11 18:19:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9c254302c8a1237af047633962fda6d55104cbd8e43fcd02221c7e2c42a0299a/analysis/
Malwr link:  https://malwr.com/analysis/OGZkZDNjMWJiODg0NDQ0ZGJkZjRjOWVjMGNlZTdjZTI/
ZIP of pcap from Malwr's analysis:  2014-12-11-Asprox-dropped-malware-02.pcap.zip

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.