2014-11-12 - ASPROX BOTNET FAKE STARBUCKS PHISHING EMAILS - DELIVERED SIRIUS WIN 7 ANTIVIRUS 2014
ASSOCIATED FILES:
- ZIP file - associated malware: 2014-11-12-Asprox-malware-and-artifacts.zip
- ZIP file - Asprox Starbucks-themed email examples: 2014-11-12-Asprox-starbucks-phishing-email-examples.zip
NOTES:
- Saw a fresh wave of fake Starbucks emails from the Asprox botnet today. The links point to a zip file that infected my VM with malware called: Sirius Win 7 Antivirus 2014
- My infected VM also did a bit of spamming, sending out fake Delta Airlines phishing emails before I took it off-line.
EXAMPLE OF THE EMAILS
SCREENSHOTS:
All six emails were fake Starbucks messages received on 2014-11-12, but this one has a few mistakes and
looks like it was originally sent on 2014-11-10.
LINK TO MALWARE FROM THESE EMAILS:
From: "Starbucks" <support@handycup.cz>
Subject: Enjoy your Starbucks Card eGift
Link: mundwerkfreital[.]de/error.php?stb=5aJGjk0nRdCwCLB5BSGJ9OVeZSjT9scAVkGNcSLdXzg
From: "Starbucks" <support@freighttraindigital.com>
Subject: Enjoy your Starbucks Card eGift
Link: ritphipsi[.]org/diff.php?stb=skw1QZozuKje0qjjrhzL8CaR1KIHwp6lcrmQ4iBrjpM
From: "Starbucks" <support@ulg.mediagiantdesign.com>
Subject: Starbucks Card eGift
Link: stormgeeks[.]com/dump.php?stb=KlHUP9Acz83sJOW8xdPVxSTPjF+I+6G6JrxViBND/C8
From: USPS <shawn@mclarensolutions.com.au>
Subject: Postal Notification Service
Link: vandammedhe[.]eu/search.php?stb=FHrTiIxaP+2THgoy4qzOjvPEEAAWh+dRZQU87G55HgI
From: "Starbucks" <support@alvarogl.com>
Subject: Starbucks Card eGift
Link: owireduyeboahandassociates[.]com/login.php?stb=UIUE39nFGpVxycMpyCfnSIc92jjwrISVcGz21oaNhTs
From: "Starbucks" <support@geldersespringkussenverhuur.nl>
Subject: Enjoy your Starbucks Card eGift
Link: postprodsons[.]com/defines.php?stb=9VyzWC5VJcDySbbeoYEaUqxjDeIjSUgpUpFpqT3M6Zo
PRELIMINARY MALWARE ANALYSIS
DOWNLOADED ZIP FILE:
File name: Starbucks_eGift.zip
File size: 70.3 KB ( 71950 bytes )
MD5 hash: 3cb651464905715a0a571f6bd434a7a9
Detection ratio: 13 / 55
First submission: 2014-11-12 19:25:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/e6dc1655d31aec69533d9c8bec205615a164b66eed48176cd63140707a3a5cde/analysis/
EXTRACTED MALWARE:
File name: Starbucks_eGift.exe
File size: 107.0 KB ( 109568 bytes )
MD5 hash: 37f9766153ea52766d11839868f10648
Detection ratio: 13 / 55
First submission: 2014-11-12 19:25:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/c21d40e8cd713a1dbdf6491abd9ce3dc11ba3f3312c7081fcb3be353b8b8e89f/analysis/
Malwr link: https://malwr.com/analysis/OGVlZWY0NGQ4ZGNjNGY5ZDlhNjNlMzNhYzFlYjM4NDM/
SOME DROPPED ARTIFACTS ON THE INFECTED VM:
DROPPED EXE (1 OF 2):
File name: pvmqjsqv.exe
File size: 109.0 KB ( 111616 bytes )
MD5 hash: 3a682c34371938570231f466be7c53a8
Detection ratio: 5 / 54
First submission: 2014-11-12 19:26:49 UTC
VirusTotal link: https://www.virustotal.com/en/file/a8ee33e4d8fc0900a3b99aff70437d4b878c7031eca48928300234e48938c77a/analysis/
DROPPED EXE (2 OF 2):
File name: reqxtpxq.exe
File size: 80.5 KB ( 82432 bytes )
MD5 hash: eae6fd5531d1101332b47b33ac7bdad3
Detection ratio: 4 / 53
First submission: 2014-11-12 17:23:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/0b1bfdd4a4fce450429fb9494b5d860cc1a0bdb2e4a122790596aa01bd6aa55e/analysis/
INFECTION TRAFFIC
DOWNLOADING THE MALWARE FROM LINK IN THE EMAIL:
- 18:27:18 UTC - 192.168.204.150 - 49159 - 185.21.100.134:80 - mundwerkfreital.de - GET /error.php?stb=5aJGjk0nRdCwCLB5BSGJ9OVeZSjT9scAVkGNcSLdXzg
INFECTION TRAFFIC WHEN RUNNING THE MALWARE AND SEEING THE FAKE ANTI-VIRUS:
- 18:34:01 UTC - 192.168.204.150 - 49160 - 212.129.21.210:443 - POST /index.php
- 18:34:09 UTC - 192.168.204.150 - 49161 - 89.144.14.44:80 - glohhstt7.com - GET /FiGcq15uk9c0jEnSjQhDBrRmh4c5HvCnn8aPPAvnpVV2L9p2jjtNsJJPyVqNhQ==
- 18:36:04 UTC - 192.168.204.150 - 49166 - 212.129.21.210:443 - POST /index.php
- 18:38:08 UTC - 192.168.204.150 - 49167 - 212.129.21.210:443 - POST /index.php
- 18:40:10 UTC - 192.168.204.150 - 49171 - 212.129.21.210:443 - POST /index.php
- 18:40:12 UTC - 192.168.204.150 - 49176 - 212.26.132.65:443 - POST /cb/board.pl
- 18:42:33 UTC - 192.168.204.150 - 51678 - 212.129.21.210:443 - POST /index.php
- 18:44:35 UTC - 192.168.204.150 - 53783 - 212.129.21.210:443 - POST /index.php
- 18:46:29 UTC - 192.168.204.150 - 54802 - 72.51.46.206:8080 - POST /cb/board.pl
- 18:46:37 UTC - 192.168.204.150 - 54835 - 212.129.21.210:443 - POST /index.php
- Lots of SMTP traffic [I let this run much longer than I intended...]
TRAFFIC FOR THE WEB PAGE THAT APPEARED WHEN I CLICKED TO REGISTER THE PRODUCT:
- 18:39:10 UTC - 192.168.204.150 - 49168 - 89.144.14.44:80 - glohhst7.com - GET /fV1ZWTobDzEb1zQdLFOmB4folVTIY2uXvKVA2yfMctZiq_f8Cvr7W49_4ueCkuu_9vSv_02l
- 18:39:10 UTC - 192.168.204.150 - 49168 - 89.144.14.44:80 - glohhst7.com - serveral other HTTP GET requests for the web page components
SNORT EVENTS
Signature hits from Emerging Threats and ETPRO rulesets from Sguil on Security Onion:
- ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
- ET TROJAN Kuluoz/Asprox CnC Response (sid:2019187)
- ET TROJAN Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6) (sid:2018336)
- ETPRO TROJAN Common Downloader Header Pattern HCa (sid:2803304)
SCREENSHOTS
Trying one of the email links in a web browser got me the malicious zip file:
When I ran the fake Starbucks malware, I got the following message:
Shortly after running the malware, I got a notification from the fake anti-virus that my system had been breached:
Here's the fake anti-virus Sirius Win 7 Antivirus 2014 doing a fake scan on the infected VM:
Another fake reminder, as the malware tries to get me to register:
Here's the window that pops up when you try to register:
The infected VM will occasionally generate more fake anti-virus alerts like this one:
I couldn't run the registry editor or look at any of the files in my infected VM's AppData\Local\Temp directory.  I would always get one of these warnings:
Meanwhile, here's some of the HTTP POST traffic generated by the infected VM:
Here's HTTP web traffic associated with this particular version of the Sirius Win 7 Antivirus 2014 malware:
Here's an example of the fake Delta Airlines phishing emails sent by my infected VM before I took it off-line:
FINAL NOTES
Once again, here are the associated files:
- ZIP file - associated malware: 2014-11-12-Asprox-malware-and-artifacts.zip >ZIP file - Asprox Starbucks-themed email examples: 2014-11-12-Asprox-starbucks-phishing-email-examples.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.