2014-09-09 - ASPROX BOTNET PHISHING EMAILS - DELTA AIRLINES

ASSOCIATED FILES:

• ZIP of the malware samples:  2014-09-09-phishing-malware-examples.zip
• ZIP of the spreadsheet for the email tracking:  2014-09-09-phishing-campaign-email-tracking.csv.zip
• ZIP of the pcaps:  2014-09-09-phishing-malware-traffic.zip

 

NOTES:

• Yet another wave of phishing emails seen from the Asprox botnet--this one spoofing Delta Airlines.

 

EXAMPLES OF THE PHISHING EMAILS

SCREENSHOT - EXAMPLE 1:

 

SCREENSHOT - EXAMPLE 2:

 

SCREENSHOT - EXAMPLE 3:

 

MESSAGE TEXT - EXAMPLE 1:

From: Delta Air <help@startcomputerrepair.com>
Sent: Monday, September 08, 2014 15:59 UTC
To:
Subject: The order #00354911 is ready

Dear Customer,

ELECTRONIC TICKET NUMBER / ET-02442799
SEAT / 72F/ZONE 3
DATE / TIME 7 OCTOBER, 2014, 12:15 PM
ARRIVING / Stockton
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 272.19 USD
REF / EK.0183 ST / OK
BAG / 7PC

Please find your ticket attached.
You can print your ticket.

Thank you for your attention.
Delta Air Lines.

Attachment: ET-68435506.zip (108.6 KB)

 

MESSAGE TEXT - EXAMPLE 2:

From: Delta Air Lines <support@cavestclair.com>
Date: Tuesday, September 9, 2014 at 18:26 UTC
To:
Subject: Your order # ID16-00637196 has been completed

Dear Client,

TICKET / ET-10864422
SEAT / 63F/ZONE 1
DATE / TIME 7 OCTOBER, 2014, 12:25 AM
ARRIVING / Philadelphia
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 281.38 USD
REF / EK.0807 ST / OK
BAG / 2PC
Your ticket is attached.
To use your ticket you should print it.

Thank you for your attention.
Delta Air Lines.

Attachment: ET-11336156.zip (101.5 KB)

 

MESSAGE TEXT - EXAMPLE 3:

From: Delta Air Lines <custservice@sydneystair.com>
Date: Tuesday, September 9, 2014 at 19:57 UTC
To:
Subject: Your order # NR17-00043949 has been completed

Dear Customer,

ELECTRONIC TICKET / ET-22307486
SEAT / 64A/ZONE 1
DATE / TIME 1 OCTOBER, 2014, 12:55 AM
ARRIVING / Newport News
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 278.39 USD
REF / LE.9116 ST / OK
BAG / 1PC

Your electronic ticket is attached to the letter as a scan document.
You can print your ticket.

Thank you for your attention.
Delta Air Lines.

Attachment: ET-81809167.zip (111.8 KB)

 

MALWARE EXAMPLES

• Attachment:  ET-11336156.zip - MD5 hash: be6efead7e792b81da98b2b85e5a9ec8
• VirusTotal link:  https://www.virustotal.com/en/file/0023857e59a93cee87c8ae546350b9e2add29ace1861e19b52263932a67bc9c9/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: 6b20036e7b3ae7a24231ff351a9251e1
• VirusTotal link:  https://www.virustotal.com/en/file/51908171d119f4567453762a05f39208ddf58f8c50c3f5ee2fcac97690a3c19b/analysis/

• Attachment:  ET-45048581.zip - MD5 hash: 3cf5bf0dc201ecdb9ac7e4eaa8af1205
• VirusTotal link:  https://www.virustotal.com/en/file/1327a3b479c13235bf67797b66aa2057ee81b0763399b267bd8b6d17493968f4/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: f8825c98266e7549515f7479acc4cb04
• VirusTotal link:  https://www.virustotal.com/en/file/deeb5035d805c316851fafedf03c5348bc3103c876324309cf550153aa57bb87/analysis/

• Attachment:  ET-68435506.zip - MD5 hash: afaf0d8a55e65f258e11c06d5dc74855
• VirusTotal link:  https://www.virustotal.com/en/file/851dcd10ea30554e286ea6c92937e1f660594c46d7853b681441d11a0f77197d/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: dafee9aa102b64a21c15af6208537dc0
• VirusTotal link:  https://www.virustotal.com/en/file/b14c2bfed6fb6360b551dadcf2ff4b0fae0a5e9e79fad62a3b2f53f17e4f7964/analysis/

• MAttachment:  ET-81809167.zip - MD5 hash: dae07211557843bdeb9b11a458ffa54b
• VirusTotal link:  https://www.virustotal.com/en/file/3474e2c468b86296ba097d16e18c8ec2814f4ed9ddf25aece715983dded94423/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: 4845a080eae462ccb2f3a3eb014d073f
• VirusTotal link:  https://www.virustotal.com/en/file/f518944045efe237613808760dd6e4e34de69b82927854c33fba405a300269fe/analysis/

 

TRAFFIC AND SNORT EVENTS

LIVE TRAFFIC - 4845A080EAE462CCB2F3A3EB014D073F:

• 172.16.165.133:49193 - 178.33.160.87:80 - POST /index.php
• 172.16.165.133:49194 - 178.33.160.87:80 - POST /index.php
• 172.16.165.133:49195 - 202.185.27.50:8080 - POST /index.php
• 172.16.165.133:49196 - 178.33.160.87:80 - POST /index.php
• 172.16.165.133:49197 - 222.124.166.12:443 - POST /index.php
• 172.16.165.133:various - 172.16.165.2:53 - several DNS queries for: openisp.su
• 172.16.165.133:various - 172.16.165.2:53 - several DNS queries for: cellgone.su

SNORT EVENTS:

• 172.16.165.133:49193 - 178.33.160.87:80 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 172.16.165.133:49193 - 178.33.160.87:80 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (sid:2018359)
• 172.16.165.133:49197 - 222.124.166.12:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 172.16.165.133:49197 - 222.124.166.12:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)
• 172.16.165.133:52193 - 172.16.165.2:53 - ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related (sid:2014169)

• 172.16.165.133:various - 172.16.165.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x15)

 

LIVE TRAFFIC - 6B20036E7B3AE7A24231FF351A9251E1:

• 172.16.165.133:49191 - 202.185.27.50:8080 - POST /index.php
• 172.16.165.133:49192 - 222.124.166.12:443 - POST /index.php
• 172.16.165.133:49193 - 222.124.166.12:443 - POST /index.php
• 172.16.165.133:various - 172.16.165.2:53 - several DNS queries for: openisp.su
• 172.16.165.133:various - 172.16.165.2:53 - several DNS queries for: cellgone.su

SNORT EVENTS:

• 172.16.165.133:49191 - 202.185.27.50:8080 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 172.16.165.133:49191 - 202.185.27.50:8080 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (sid:2018359)
• 172.16.165.133:49192 - 222.124.166.12:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 172.16.165.133:49192 - 222.124.166.12:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)
• 172.16.165.133:52193 - 172.16.165.2:53 - ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related (sid:2014169)

• 172.16.165.133:various - 172.16.165.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x28)

 

SANDBOX TRAFFIC - DAFEE9AA102B64A21C15AF6208537DC0:

• 172.16.165.133:49183 - 82.116.211.16:443 - POST /index.php
• 172.16.165.133:49184 - 202.75.53.48:8080 - POST /index.php
• 172.16.165.133:49185 - 209.170.120.163:8080 - POST /index.php
• 172.16.165.133:49186 - 82.116.211.16:443 - POST /index.php
• 172.16.165.133:49187 - 202.185.27.50:8080 - POST /index.php
• 172.16.165.133:49189 - 222.124.166.12:443 - POST /index.php
• 172.16.165.133:49190 - 209.170.120.163:8080 - POST /index.php

SNORT EVENTS:

• 172.16.165.133:49183 - 82.116.211.16:443 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 172.16.165.133:49183 - 82.116.211.16:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 172.16.165.133:49183 - 82.116.211.16:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)

 

LIVE TRAFFIC - F8825C98266E7549515F7479ACC4CB04:

• 172.16.165.133:49191 - 217.106.238.145:443 - POST /index.php
• 172.16.165.133:49192 - 217.106.238.145:443 - POST /index.php
• 172.16.165.133:49193 - 217.106.238.145:443 - POST /index.php
• 172.16.165.133:49194 - 217.106.238.145:443 - POST /index.php
• 172.16.165.133:49198 - 93.158.134.89:25 - SMTP attempt, but RST by server
• 172.16.165.133:49199 - 80.83.123.131:8080 - POST /cb/board.pl
• 172.16.165.133:49200 - 172.16.165.134:25 - example of the many emails sent (IP address and other info changed or masked in this pcap)
• 172.16.165.133:various - 172.16.165.2:53 - several DNS queries for: openisp.su
• 172.16.165.133:various - 172.16.165.2:53 - several DNS queries for: cellgone.su

SNORT EVENTS:

• 172.16.165.133:49191 - 217.106.238.145:443 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 172.16.165.133:49191 - 217.106.238.145:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 172.16.165.133:49191 - 222.124.166.12:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)
• 172.16.165.133:53275 - 172.16.165.2:53 - ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related (sid:2014169)
• 172.16.165.133:49200 - 172.16.165.134:25 - ETPRO SMTP Exim string_format Remote Code Execution (sid:2800979)
• 172.16.165.133:49200 - 172.16.165.134:25 - ET INFO SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound) (sid:2017884)

• 172.16.165.133:various - 172.16.165.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x43)
• 172.16.165.133:49200 - 172.16.165.134:25 - [129:12:1] Consecutive TCP small segments exceeding threshold (x9)
• 172.16.165.133 - 172.16.165.134 - [139:1:1] (spp_sdf) SDF Combination Alert

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the malware samples:  2014-09-09-phishing-malware-examples.zip
• ZIP of the spreadsheet for the email tracking:  2014-09-09-phishing-campaign-email-tracking.csv.zip
• ZIP of the pcaps:  2014-09-09-phishing-malware-traffic.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.