2014-12-11 - ASPROX BOTNET PHISHING CAMPAIGN - SUBJECT: FACEBOOK PASSWORD CHANGE

ASSOCIATED FILES:

• ZIP - CSV spreadsheet tracking the messages:  2014-12-11-Asprox-facebook-campaign-message-tracking.csv.zip
• ZIP - PCAP of VM infection from malware sample:  2014-12-11-Asprox-malware-run-on-a-VM.pcap.zip
• ZIP - associated malware (includes dropped Rerdom and Simda):  2014-12-11-malware-from-VM-infection-by-Asprox.zip
• ZIP - Sample Asprox email with headers (sanitized):  2014-12-11-Asprox-email-example-with-headers.txt.zip

 

NOTES:

• Techhelplist reported on this earlier today at:  https://techhelplist.com/index.php/spam-list/694-facebook-password-change-asprox-malware-v2

• This blog entry is a follow-up that includes the emails I've found, malware samples, and traffic from an infected VM.
• Below are the emails I found with the subject line Facebook password change.  Asprox has used other variations with the word "Facebook" in the subject line.

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

Subject: Facebook password change
Date: Thu, 11 Dec 2014 12:43:19 UTC
From: Facebook <notification@gruasorion.com>
Reply-To: Facebook <notification@gruasorion.com>
To:

Facebook

Hi,

Your Facebook password was been reset on Thursday, December 11, 2014 at 12:42PM (UTC) due to suspicious activity of your account.

Operating system:  Windows
Browser:  Google Chrome
IP address:  [omitted]
Estimated location:  Proctor, OK, US

To restore the password complete this form please, your request will be considered within 24 hours.
Thanks,
The Facebook Security Team

Facebook, Inc., Attention: Department 425, PO Box 10005, Palo Alto, CA 94303

NOTE:  From what I can tell, Asprox uses random values for the OS, browser, IP, and estimated location.  I omitted the IP address above, because some people scrape these blog entries for malicious IP addresses.

 

VM INFECTION TRAFFIC

DOWNLOADING THE ASPROX ZIP FILE:

• 2014-12-11 17:40:08 UTC - 208.88.133.116:80 - digest.sagepub.com - GET /template.php?fb=ZqxmdLEfXtVt+vSTgZPQr4HuNeYy0gaxNY+SHrKn3zM=

 

EXECUTING THE EXTRACTED MALWARE IN A VM:

• 2014-12-11 17:43:51 UTC - 192.168.204.137:49160 - 208.81.237.99:8080 - 208.81.237.99:8080 - POST /index.php
• 2014-12-11 17:44:10 UTC - 192.168.204.137:49161 - 67.183.123.151:80 - lifeprooffre.com - GET /catalog/789
• 2014-12-11 17:44:12 UTC - 192.168.204.137:49162 - 77.123.108.4:80 - adminaoffline.com - GET /datamousthoping/mod_smartslider2/
• 2014-12-11 17:46:50 UTC - 192.168.204.137:49157 - 95.164.12.24:80 - adminaoffline.com - GET /jshoppi/soft32.dll
• 2014-12-11 17:46:59 UTC - 192.168.204.137:49159 - 67.183.123.151:80 - linktohttps.com - GET /b/eve/d23e74dde53e536906ade2b3
• 2014-12-11 17:47:16 UTC - 192.168.204.137:49160 - 133.242.54.221:443 - POST /index.php
• 2014-12-11 17:47:49 UTC - 192.168.204.137:49165 - 37.25.102.37:80 - linktohttps.com - POST /b/opt/4C39DA050DB46D8E3AB44A3A
• 2014-12-11 17:47:54 UTC - 192.168.204.137:49166 - 37.25.102.37:80 - linktohttps.com - GET /b/letr/83149EADBA4F7EC88D4F597C
• 2014-12-11 17:47:59 UTC - 192.168.204.137:49167 - 37.25.102.37:80 - linktohttps.com - GET /b/letr/83149EADBA4F7EC88D4F597C
• 2014-12-11 17:48:00 UTC - 192.168.204.137:49168 - 195.245.194.102:8080 - 195.245.194.102:8080 - POST /b/opt/85B756550F56CC0B3856EBBF
• 2014-12-11 17:48:06 UTC - 192.168.204.137:49169 - 195.245.194.102:8080 - 195.245.194.102:8080 - GET /b/letr/385E5562C7E1145CF0E133E8
• 2014-12-11 17:48:09 UTC - 192.168.204.137:49170 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/opt/D00275A2D88326A7EF830113
• 2014-12-11 17:48:12 UTC - 192.168.204.137:49171 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/opt/A7E95B6D26206F1C112048A8
• 2014-12-11 17:48:31 UTC - 192.168.204.137:49172 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/A04533BCFDCAE120CACAC694
• 2014-12-11 17:48:34 UTC - 192.168.204.137:49173 - 70.32.94.46:8080 - 70.32.94.46:8080 - GET /b/eve/9ef85855a9f87fe16aef9187
• 2014-12-11 17:49:20 UTC - 192.168.204.137:49174 - 133.242.54.221:443 - POST /index.php
• 2014-12-11 17:49:26 UTC - 192.168.204.137:49175 - 79.142.66.239:80 - report.9i1q9ws7931yw3u7my1.com - GET /?EI9320=%96%9C%D4%[long string of characters]
• 2014-12-11 17:49:29 UTC - 192.168.204.137:49176 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/5F29E613C0CB0FD7F7CB2863
• 2014-12-11 17:49:34 UTC - 192.168.204.137:49177 - 70.32.94.46:8080 - 70.32.94.46:8080 - GET /b/eve/4b273de97c271a5da3f7f2d6
• 2014-12-11 17:50:31 UTC - 192.168.204.137:49178 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/2F0BE089032BC999342BEE2D
• 2014-12-11 17:50:47 UTC - 192.168.204.137:49179 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/BFCB8BC39FE7A71CA8E780A8
• 2014-12-11 17:50:59 UTC - 192.168.204.137:49194 - 37.221.168.59:80 - 37.221.168.59 - GET /b/pkg/T51405fc9a5jjao

 

CLICK FRAUD TRAFFIC FROM THE INFECTED VM BEGINS:

• 2014-12-11 17:50:49 UTC - 192.168.204.137:49182 - 46.161.41.220:80 - sheepdog-shop.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49185 - 46.161.41.220:80 - perspectivism-new.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49180 - 46.161.41.220:80 - mainnav-active.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49184 - 46.161.41.220:80 - sheepdog-shop.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49186 - 46.161.41.220:80 - jseradio.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49181 - 46.161.41.220:80 - personal-stereo.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49183 - 46.161.41.220:80 - perspectivism-new.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49188 - 46.161.41.220:80 - darkblue-new.com - GET /
• 2014-12-11 17:50:49 UTC - 192.168.204.137:49187 - 46.161.41.220:80 - shimmer-lite.com - GET /

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (not including ET INFO or ET POLICY rules):

• 2014-12-11 17:40:11 UTC - 192.168.204.137:49158 - 208.88.133.116:80 - ET CURRENT_EVENTS Possible ASPROX Download URI Struct June 19 2014 (sid:2018589)
• 2014-12-11 17:44:06 UTC - 192.168.204.137:49160 - 208.81.237.99:8080 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 2014-12-11 17:44:11 UTC - 192.168.204.137:49161 - 67.183.123.151:80 - ET TROJAN Win32/Zemot URI Struct (sid:2019458)
• 2014-12-11 17:44:11 UTC - 192.168.204.137:49161 - 67.183.123.151:80 - ETPRO TROJAN Win32/Zemot User-Agent (sid:2808499)
• 2014-12-11 17:44:12 UTC - 192.168.204.137:49162 - 77.123.108.4:80 - ET TROJAN Win32/Zemot Requesting PE (sid:2019759)
• 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload (sid:2018914)
• 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 2014-12-11 17:46:50 UTC - 192.168.204.137:49157 - 95.164.12.24:80 -ET TROJAN Win32/Zemot Config Download (sid:2018661)
• 2014-12-11 17:46:59 UTC - 192.168.204.137:49159 - 67.183.123.151:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• 2014-12-11 17:46:59 UTC - 67.183.123.151:80 - 192.168.204.137:49159 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 2014-12-11 17:47:53 UTC - 192.168.204.137:49165 - 37.25.102.37:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)
• 2014-12-11 17:48:36 UTC - 70.32.94.46:8080 - 192.168.204.137:49173 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 2014-12-11 17:49:26 UTC - 192.168.204.137:49175 - 79.142.66.239:80 - ET TROJAN Simda.C Checkin (sid:2016300)
• 2014-12-11 17:50:59 UTC - 192.168.204.137:49194 - 37.221.168.59:80 - 37.221.168.59 - ET TROJAN Rerdom/Asprox CnC Beacon (sid:2019760)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

• 2014-12-11 17:43:51 UTC - 192.168.204.137:49160 - 208.81.237.99:8080 - [1:32706:1] MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection
• 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-12-11 17:46:59 UTC - 192.168.204.137:49159 - 67.183.123.151:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-12-11 17:47:17 UTC - 192.168.204.137:various - 133.242.54.221:443 - [1:32706:1] MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection
• 2014-12-11 17:47:49 UTC - 192.168.204.137:various - 37.25.102.37:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-12-11 17:48:00 UTC - 192.168.204.137:various - 195.245.194.102:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-12-11 17:48:09 UTC - 192.168.204.137:various - 70.32.94.46:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-12-11 17:49:26 UTC - 192.168.204.137:49175 - 79.142.66.239:80 - [1:22937:5] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  FB_Password_Reset_Form.zip
File size:  89.4 KB ( 91532 bytes )
MD5 hash:  14e7aed0139942e33e9f072ed67ad455
Detection ratio:  7 / 49
First submission:  2014-12-11 18:15:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ea678b163e037bc7c6fcd8611908102ece6ee3d76709559d9330473edf1da220/analysis/

 

EXTRACTED MALWARE:

File name:  FB_Password_Reset_Form.exe
File size:  137.0 KB ( 140288 bytes )
MD5 hash:  d513bc67e078cd1bf8964e0abca63935
Detection ratio:  8 / 56
First submission:  2014-12-11 18:16:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6cc8cd11080b3784377f3340b2eb8243bb7ee3a2650dbf2d46367365c4352f9c/analysis/
Malwr link:  https://malwr.com/analysis/ZWVmNDc1YmIwNjEyNDAxOWFhZDZiMzBiM2M4N2I4NDM/

 

DROPPED MALWARE FROM INFECTED VM - RERDOM:

File name:  UpdateFlashPlayer_d93020a4.exe
File size:  203.4 KB ( 208264 bytes )
MD5 hash:  818c1fa464e63fb2e588c0e447cb2baf
Detection ratio:  6 / 56
First submission:  2014-12-11 17:38:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8b39a15f8a43ea17c77e3b535224ccb29632ec152bfc18e92c19984fd60107f8/analysis/
Malwr link:  https://malwr.com/analysis/ZDgwMzk2ZGFkNTVmNDlkY2EyMzNkZWM0YTU0ZGUyOWQ/
ZIP of pcap from Malwr's analysis:  2014-12-11-Asprox-dropped-malware-01.pcap.zip

Copy from the infected VM user's AppData\Local\Temp folder before it
deleted itself.

 

DROPPED MALWARE FROM INFECTED VM - SIMDA:

File name:  1563.tmp
File size:  640.0 KB ( 655360 bytes )
MD5 hash:  7a3d8b487b21ff7f63632964682dc9cb
Detection ratio:  7 / 56
First submission:  2014-12-11 18:19:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9c254302c8a1237af047633962fda6d55104cbd8e43fcd02221c7e2c42a0299a/analysis/
Malwr link:  https://malwr.com/analysis/OGZkZDNjMWJiODg0NDQ0ZGJkZjRjOWVjMGNlZTdjZTI/
ZIP of pcap from Malwr's analysis:  2014-12-11-Asprox-dropped-malware-02.pcap.zip

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - CSV spreadsheet tracking the messages:  2014-12-11-Asprox-facebook-campaign-message-tracking.csv.zip
• ZIP - PCAP of VM infection from malware sample:  2014-12-11-Asprox-malware-run-on-a-VM.pcap.zip
• ZIP - associated malware (includes dropped Rerdom and Simda):  2014-12-11-malware-from-VM-infection-by-Asprox.zip
• ZIP - Sample Asprox email with headers (sanitized):  2014-12-11-Asprox-email-example-with-headers.txt.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.