2014-07-02 - RECENT ASPROX BOTNET PHISHING EMAILS

ASSOCIATED FILES:

• ZIP of PCAPs:  2014-07-02-fake-USPS-notification-sandbox-analysis-pcaps.zip
• ZIP of the malware:  2014-07-02-Asprox-phishing-malware.zip

NOTES:

This blog entry compares 2 recent USPS-themed phishing emails from the Asprox botnet.  Note the differences between the emails.  Changes in the message content complicate efforts to block these phishing emails.  For more information on these recent Asprox emails, see the following links:

• http://threatpost.com/usps-spam-campaign-drops-botnet-malware
• http://research.zscaler.com/2014/05/usps-spam-delivering-kryptik-variant.html
• http://stopmalvertising.com/malware-reports/a-journey-inside-the-asprox-modules.html

 

SCREENSHOTS OF THE EMAILS

FROM FRIDAY, 2014-06-27:

 

FROM WEDNESDAY, 2014-07-02:

 

HTTP GET REQUESTS FOR THE MALWARE:

• 2014-06-27 email:  mylawyersaid.com - GET /wp-content/api/Yh/ILO3Ne0n4J7iVu3VncK6UUVjtOuDSLPOEDVGsKmw=/GetReceipt
• 2014-07-02 email:  www.per-aspera.ru - GET /components/api/OVpz9RquPFsc0GQuEHIhiseFR47FAN73aWXBerZ9vDA=/get_label

 

PRELIMINARY MALWARE ANALYSIS

2014-06-27 MALWARE (ZIP FILE)

File name:  USPS_Receipt_US_city_name_2014-06-27.zip
File size:  98.8 KB ( 101141 bytes )
MD5 hash:  a5eaedb7ad1a651379855477f4164651
Detection ratio:  21 / 54
First submission:  2014-07-02 20:21:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/38e17f76e97ac21b728ebe6d5c5d074df6b7c62ea71c0bc7b723273da5515cf7/analysis/

 

2014-06-27 MALWARE (EXTRACTED EXE)

File name:  USPS_Receipt_US_city_name_2014-06-27.exe
File size:  149.5 KB ( 153088 bytes )
MD5 hash:  b1ffe5b1dcf6125bdfd2e713a7c2bdb4
Detection ratio:  20 / 53
First submission:  2014-07-02 20:21:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4ec0dc7e0fc1806bfd777caa2762d7f6f89d7e9db794c07dad2caea63d3a14ba/analysis/
Malwr link:  https://malwr.com/analysis/MTdiNDE2ZGFlYmY2NGE3MjgzZmNiZjdhOTU1YzQzYjQ/

 

2014-07-02 MALWARE (ZIP FILE)

File name:  Label_US_city_name_2014-07-02.zip
File size:  89.2 KB ( 91355 bytes )
MD5 hash:  c62571abb2579a08815a7fe9f444e726
Detection ratio:  4 / 53
First submission:  2014-07-02 20:18:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9a39c1ed1e3309fd9f530bc72f4ac84e022a926c9ba6df4266b73cc489d2e065/analysis/

 

2014-07-02 MALWARE (EXTRACTED EXE)

File name:  Label_US_city_name_2014-07-02.exe
File size:  128.5 KB ( 131584 bytes )
MD5 hash:  1e0c7da431950be356ee52985d7a4d8b
Detection ratio:  5 / 54
First submission:  2014-07-02 16:22:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b7ee27546d19721bdf927c11e217b556264c39584749f79dbfb774290793ff35/analysis/
Malwr link:  https://malwr.com/analysis/MzA3ZTY5MTE2Y2MxNGFiZWJlN2UxYjA0ZmRmMWQ3OGI/

 

SANDBOX TRAFFIC AND SNORT EVENTS

Traffic noted from the Malwr.com sandbox analysis of the 2014-06-27 malware:

• 2014-07-02 20:23:16 UTC - 192.168.56.102:1039 - 62.193.192.101:8080 - 62.193.192.101:8080 - POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1

Events that triggered reading the PCAP in snort:

• 2014-07-02 20:23:16 UTC - 192.168.56.102:1039 - 62.193.192.101:8080 - [1:31244:1] MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt
• 2014-07-02 20:23:16 UTC - 192.168.56.102:1039 - 62.193.192.101:8080 - [1:2807771:1] ETPRO TROJAN Win32/Kuluoz.D Checkin
• 2014-07-02 20:23:16 UTC - 192.168.56.102:1039 - 62.193.192.101:8080 - [1:2017895:5] ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013
• 2014-07-02 20:23:16 UTC - 192.168.56.102:1039 - 62.193.192.101:8080 - [1:2018359:1] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2

 

Traffic noted from the Malwr.com sandbox analysis of the 2014-07-02 malware:

• 2014-07-02 20:21:00 UTC - 192.168.56.102:1039 - 142.4.60.242:443 - 142.4.60.242:443 - POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1

Events that triggered reading the PCAP in snort:

• 2014-07-02 20:21:00 UTC - 192.168.56.102:1039 - 142.4.60.242:443 - [1:31244:1] MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt
• 2014-07-02 20:21:00 UTC - 192.168.56.102:1039 - 142.4.60.242:443 - [1:2807771:1] ETPRO TROJAN Win32/Kuluoz.D Checkin
• 2014-07-02 20:21:00 UTC - 192.168.56.102:1039 - 142.4.60.242:443 - [1:2013926:2] ET POLICY HTTP traffic on port 443 (POST)
• 2014-07-02 20:21:00 UTC - 192.168.56.102:1039 - 142.4.60.242:443 - [1:2006409:8] ET POLICY HTTP POST on unusual Port Possibly Hostile

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-07-02-fake-USPS-notification-sandbox-analysis-pcaps.zip
• ZIP of the malware:  2014-07-02-Asprox-phishing-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.