2014-12-11 - ASPROX BOTNET PHISHING CAMPAIGN - SUBJECT: FACEBOOK PASSWORD CHANGE
ASSOCIATED FILES:
- ZIP - CSV spreadsheet tracking the messages: 2014-12-11-Asprox-facebook-campaign-message-tracking.csv.zip
- ZIP - PCAP of VM infection from malware sample: 2014-12-11-Asprox-malware-run-on-a-VM.pcap.zip
- ZIP - associated malware (includes dropped Rerdom and Simda): 2014-12-11-malware-from-VM-infection-by-Asprox.zip
- ZIP - Sample Asprox email with headers (sanitized): 2014-12-11-Asprox-email-example-with-headers.txt.zip
NOTES:
- Techhelplist reported on this earlier today at: https://techhelplist.com/index.php/spam-list/694-facebook-password-change-asprox-malware-v2
- This blog entry is a follow-up that includes the emails I've found, malware samples, and traffic from an infected VM.
- Below are the emails I found with the subject line Facebook password change. Asprox has used other variations with the word "Facebook" in the subject line.
EXAMPLE OF THE EMAILS
SCREENSHOT:
MESSAGE TEXT:
Subject: Facebook password change
Date: Thu, 11 Dec 2014 12:43:19 UTC
From: Facebook <notification@gruasorion.com>
Reply-To: Facebook <notification@gruasorion.com>
To:
Hi,
Your Facebook password was been reset on Thursday, December 11, 2014 at 12:42PM (UTC) due to suspicious activity of your account.
Operating system: Windows
Browser: Google Chrome
IP address: [omitted]
Estimated location: Proctor, OK, US
To restore the password complete this form please, your request will be considered within 24 hours.
Thanks,
The Facebook Security Team
Facebook, Inc., Attention: Department 425, PO Box 10005, Palo Alto, CA 94303
NOTE: From what I can tell, Asprox uses random values for the OS, browser, IP, and estimated location. I omitted the IP address above, because some people scrape these blog entries for malicious IP addresses.
VM INFECTION TRAFFIC
DOWNLOADING THE ASPROX ZIP FILE:
- 2014-12-11 17:40:08 UTC - 208.88.133.116:80 - digest.sagepub.com - GET /template.php?fb=ZqxmdLEfXtVt+vSTgZPQr4HuNeYy0gaxNY+SHrKn3zM=
EXECUTING THE EXTRACTED MALWARE IN A VM:
- 2014-12-11 17:43:51 UTC - 192.168.204.137:49160 - 208.81.237.99:8080 - 208.81.237.99:8080 - POST /index.php
- 2014-12-11 17:44:10 UTC - 192.168.204.137:49161 - 67.183.123.151:80 - lifeprooffre.com - GET /catalog/789
- 2014-12-11 17:44:12 UTC - 192.168.204.137:49162 - 77.123.108.4:80 - adminaoffline.com - GET /datamousthoping/mod_smartslider2/
- 2014-12-11 17:46:50 UTC - 192.168.204.137:49157 - 95.164.12.24:80 - adminaoffline.com - GET /jshoppi/soft32.dll
- 2014-12-11 17:46:59 UTC - 192.168.204.137:49159 - 67.183.123.151:80 - linktohttps.com - GET /b/eve/d23e74dde53e536906ade2b3
- 2014-12-11 17:47:16 UTC - 192.168.204.137:49160 - 133.242.54.221:443 - POST /index.php
- 2014-12-11 17:47:49 UTC - 192.168.204.137:49165 - 37.25.102.37:80 - linktohttps.com - POST /b/opt/4C39DA050DB46D8E3AB44A3A
- 2014-12-11 17:47:54 UTC - 192.168.204.137:49166 - 37.25.102.37:80 - linktohttps.com - GET /b/letr/83149EADBA4F7EC88D4F597C
- 2014-12-11 17:47:59 UTC - 192.168.204.137:49167 - 37.25.102.37:80 - linktohttps.com - GET /b/letr/83149EADBA4F7EC88D4F597C
- 2014-12-11 17:48:00 UTC - 192.168.204.137:49168 - 195.245.194.102:8080 - 195.245.194.102:8080 - POST /b/opt/85B756550F56CC0B3856EBBF
- 2014-12-11 17:48:06 UTC - 192.168.204.137:49169 - 195.245.194.102:8080 - 195.245.194.102:8080 - GET /b/letr/385E5562C7E1145CF0E133E8
- 2014-12-11 17:48:09 UTC - 192.168.204.137:49170 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/opt/D00275A2D88326A7EF830113
- 2014-12-11 17:48:12 UTC - 192.168.204.137:49171 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/opt/A7E95B6D26206F1C112048A8
- 2014-12-11 17:48:31 UTC - 192.168.204.137:49172 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/A04533BCFDCAE120CACAC694
- 2014-12-11 17:48:34 UTC - 192.168.204.137:49173 - 70.32.94.46:8080 - 70.32.94.46:8080 - GET /b/eve/9ef85855a9f87fe16aef9187
- 2014-12-11 17:49:20 UTC - 192.168.204.137:49174 - 133.242.54.221:443 - POST /index.php
- 2014-12-11 17:49:26 UTC - 192.168.204.137:49175 - 79.142.66.239:80 - report.9i1q9ws7931yw3u7my1.com - GET /?EI9320=%96%9C%D4%[long string of characters]
- 2014-12-11 17:49:29 UTC - 192.168.204.137:49176 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/5F29E613C0CB0FD7F7CB2863
- 2014-12-11 17:49:34 UTC - 192.168.204.137:49177 - 70.32.94.46:8080 - 70.32.94.46:8080 - GET /b/eve/4b273de97c271a5da3f7f2d6
- 2014-12-11 17:50:31 UTC - 192.168.204.137:49178 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/2F0BE089032BC999342BEE2D
- 2014-12-11 17:50:47 UTC - 192.168.204.137:49179 - 70.32.94.46:8080 - 70.32.94.46:8080 - POST /b/req/BFCB8BC39FE7A71CA8E780A8
- 2014-12-11 17:50:59 UTC - 192.168.204.137:49194 - 37.221.168.59:80 - 37.221.168.59 - GET /b/pkg/T51405fc9a5jjao
CLICK FRAUD TRAFFIC FROM THE INFECTED VM BEGINS:
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49182 - 46.161.41.220:80 - sheepdog-shop.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49185 - 46.161.41.220:80 - perspectivism-new.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49180 - 46.161.41.220:80 - mainnav-active.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49184 - 46.161.41.220:80 - sheepdog-shop.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49186 - 46.161.41.220:80 - jseradio.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49181 - 46.161.41.220:80 - personal-stereo.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49183 - 46.161.41.220:80 - perspectivism-new.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49188 - 46.161.41.220:80 - darkblue-new.com - GET /
- 2014-12-11 17:50:49 UTC - 192.168.204.137:49187 - 46.161.41.220:80 - shimmer-lite.com - GET /
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (not including ET INFO or ET POLICY rules):
- 2014-12-11 17:40:11 UTC - 192.168.204.137:49158 - 208.88.133.116:80 - ET CURRENT_EVENTS Possible ASPROX Download URI Struct June 19 2014 (sid:2018589)
- 2014-12-11 17:44:06 UTC - 192.168.204.137:49160 - 208.81.237.99:8080 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
- 2014-12-11 17:44:11 UTC - 192.168.204.137:49161 - 67.183.123.151:80 - ET TROJAN Win32/Zemot URI Struct (sid:2019458)
- 2014-12-11 17:44:11 UTC - 192.168.204.137:49161 - 67.183.123.151:80 - ETPRO TROJAN Win32/Zemot User-Agent (sid:2808499)
- 2014-12-11 17:44:12 UTC - 192.168.204.137:49162 - 77.123.108.4:80 - ET TROJAN Win32/Zemot Requesting PE (sid:2019759)
- 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload (sid:2018914)
- 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
- 2014-12-11 17:46:50 UTC - 192.168.204.137:49157 - 95.164.12.24:80 -ET TROJAN Win32/Zemot Config Download (sid:2018661)
- 2014-12-11 17:46:59 UTC - 192.168.204.137:49159 - 67.183.123.151:80 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
- 2014-12-11 17:46:59 UTC - 67.183.123.151:80 - 192.168.204.137:49159 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
- 2014-12-11 17:47:53 UTC - 192.168.204.137:49165 - 37.25.102.37:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)
- 2014-12-11 17:48:36 UTC - 70.32.94.46:8080 - 192.168.204.137:49173 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
- 2014-12-11 17:49:26 UTC - 192.168.204.137:49175 - 79.142.66.239:80 - ET TROJAN Simda.C Checkin (sid:2016300)
- 2014-12-11 17:50:59 UTC - 192.168.204.137:49194 - 37.221.168.59:80 - 37.221.168.59 - ET TROJAN Rerdom/Asprox CnC Beacon (sid:2019760)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):
- 2014-12-11 17:43:51 UTC - 192.168.204.137:49160 - 208.81.237.99:8080 - [1:32706:1] MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection
- 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
- 2014-12-11 17:44:12 UTC - 77.123.108.4:80 - 192.168.204.137:49162 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 2014-12-11 17:46:59 UTC - 192.168.204.137:49159 - 67.183.123.151:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
- 2014-12-11 17:47:17 UTC - 192.168.204.137:various - 133.242.54.221:443 - [1:32706:1] MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection
- 2014-12-11 17:47:49 UTC - 192.168.204.137:various - 37.25.102.37:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
- 2014-12-11 17:48:00 UTC - 192.168.204.137:various - 195.245.194.102:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
- 2014-12-11 17:48:09 UTC - 192.168.204.137:various - 70.32.94.46:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
- 2014-12-11 17:49:26 UTC - 192.168.204.137:49175 - 79.142.66.239:80 - [1:22937:5] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection
PRELIMINARY MALWARE ANALYSIS
DOWNLOADED ZIP FILE:
File name: FB_Password_Reset_Form.zip
File size: 89.4 KB ( 91532 bytes )
MD5 hash: 14e7aed0139942e33e9f072ed67ad455
Detection ratio: 7 / 49
First submission: 2014-12-11 18:15:38 UTC
VirusTotal link: https://www.virustotal.com/en/file/ea678b163e037bc7c6fcd8611908102ece6ee3d76709559d9330473edf1da220/analysis/
EXTRACTED MALWARE:
File name: FB_Password_Reset_Form.exe
File size: 137.0 KB ( 140288 bytes )
MD5 hash: d513bc67e078cd1bf8964e0abca63935
Detection ratio: 8 / 56
First submission: 2014-12-11 18:16:07 UTC
VirusTotal link: https://www.virustotal.com/en/file/6cc8cd11080b3784377f3340b2eb8243bb7ee3a2650dbf2d46367365c4352f9c/analysis/
Malwr link: https://malwr.com/analysis/ZWVmNDc1YmIwNjEyNDAxOWFhZDZiMzBiM2M4N2I4NDM/
DROPPED MALWARE FROM INFECTED VM - RERDOM:
File name: UpdateFlashPlayer_d93020a4.exe
File size: 203.4 KB ( 208264 bytes )
MD5 hash: 818c1fa464e63fb2e588c0e447cb2baf
Detection ratio: 6 / 56
First submission: 2014-12-11 17:38:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/8b39a15f8a43ea17c77e3b535224ccb29632ec152bfc18e92c19984fd60107f8/analysis/
Malwr link: https://malwr.com/analysis/ZDgwMzk2ZGFkNTVmNDlkY2EyMzNkZWM0YTU0ZGUyOWQ/
ZIP of pcap from Malwr's analysis: 2014-12-11-Asprox-dropped-malware-01.pcap.zip
Copy from the infected VM user's AppData\Local\Temp folder before it
deleted itself.
DROPPED MALWARE FROM INFECTED VM - SIMDA:
File name: 1563.tmp
File size: 640.0 KB ( 655360 bytes )
MD5 hash: 7a3d8b487b21ff7f63632964682dc9cb
Detection ratio: 7 / 56
First submission: 2014-12-11 18:19:06 UTC
VirusTotal link: https://www.virustotal.com/en/file/9c254302c8a1237af047633962fda6d55104cbd8e43fcd02221c7e2c42a0299a/analysis/
Malwr link: https://malwr.com/analysis/OGZkZDNjMWJiODg0NDQ0ZGJkZjRjOWVjMGNlZTdjZTI/
ZIP of pcap from Malwr's analysis: 2014-12-11-Asprox-dropped-malware-02.pcap.zip
FINAL NOTES
Once again, here are the associated files:
- ZIP - CSV spreadsheet tracking the messages: 2014-12-11-Asprox-facebook-campaign-message-tracking.csv.zip
- ZIP - PCAP of VM infection from malware sample: 2014-12-11-Asprox-malware-run-on-a-VM.pcap.zip
- ZIP - associated malware (includes dropped Rerdom and Simda): 2014-12-11-malware-from-VM-infection-by-Asprox.zip
- ZIP - Sample Asprox email with headers (sanitized): 2014-12-11-Asprox-email-example-with-headers.txt.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.