AppRiver have identified a rather tasteless malicious offering from the Asprox botnet, a botnet that has come roaring back to life as of late.
In his recent blog, Fred Touchette confirmed that Asprox had not been known for being quite this tenacious in the past – that is until the author of the formerly most widely used exploit toolkit, Blackhole, was arrested back in October. Since then, customers of Blackhole jumped ship out of concern that continued use of the toolkit would lead authorities right to their doorsteps. In order to maintain business continuity, spammers and malware authors had no choice but to turn to other alternatives. It would certainly appear that this sudden lull in business created an opportunity for the Asprox botnet, first discovered around 2007, to make a major move.
Talking about this current campaign, Fred says, “The ploy poses as an invitation to attend a funeral on Thursday Jan. 22nd 2014, which happens to be rather short notice. It also doesn’t mention anywhere in the invitation who has deceased, just the time, date and fictitious funeral home Eubank Funeral Home & Cremation Services for which it doesn’t provide an address or even a general hint as to where it’s located. For the rest of these seemingly critical details, the recipient is given a link. Of course this link doesn’t supply these details, but instead reaches out to any one of hundreds of possible sites that are hosting the malicious payload. A lot of these sites in the past have had the ability to limit IPs to a single visit. If the same IP tries to connect to the malicious site more than once it simply returns a 404 not found error thereby limiting the effectiveness of researchers. It would also discern between the different browsers that would visit the malicious site to determine whether or not to serve up the malware or the 404 page.”
To add to the devious nature of this campaign, the malicious host utilizes IP geolocation to customize the malicious payload to appear to be local to the recipient. As an example, the file Fred received was named “FuneralCeremony_Gulf_Breeze_32561.zip” which is the city and zip code that he is currently in.
Fred continues, “Once the victim is infected, the malware goes to work by injecting itself into running processes to avoid detection, adds itself to startup areas, checks to see if it is running in a debugger, and attempts to disable SafeBoot to make sure it doesn’t go anywhere. After all of the initial formalities the malware invites all of its other friends to the party and they start going through all of the victim’s things stealing things like browsing histories and cookies, account credentials and passwords and whatever else that catches their attention.”