Asprox botnet campaign shifts tactics, evades detection

Share this article:
Fraudsters have targeted gaming platform Steam by using man-in-the-browser style attacks.
FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign.

Threat actors behind a new malicious email campaign that marshals the Asprox botnet, tweak their malware attributes to evade detection and shift campaign tactics to lure victims, most recently launching court-themed phishing campaigns, according to a blog by FireEye Labs.

After detecting a monthly uptick in malicious email starting late last year, FireEye researchers discovered on further investigation that with every email blast of a phishing campaign employing the Asprox botnet, miscreants changed the attack attributes, using malware evasion methods that were “pioneered by stealthier APT attackers” and making it “difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up…”

Noting that Asprox is highly adaptive to change, Mary Grace Timcang, a malware researcher at FireEye, told SCMagazine.com in an email correspondence, that “in recent weeks they have been very active” and have been “sending thousands of unique md5s through malicious email campaign runs” indicating that "they have developed an evasion technique which causes a file ‘scanning bottleneck' of traditional AV solutions.”

Researchers first discovered malware called Kuluoz, which is the spam component of the Asprox botnet, at the end of last year. Initially targeting a variety of industries in several companies, the campaign included a URL link in the body of emails focused on airline tickets, postal services and license keys.

While many of those themes have remained the same, ongoing attacks have launched its most successful phishing schemes around court notice and court-requested emails, using “a simple zipped email attachment that contains the malicious payload ‘exe,'' FireEye researchers wrote. 

After a victim executes the payload, using a hardcoded mutex it launches an svchost.exe process, then injects its code into it. The code is loaded into memory then unpacked as a Dynamic-link library (DLL). The DLL creates a copy of itself.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

FBI, Apple investigate celebrity photo hacking incident

FBI, Apple investigate celebrity photo hacking incident

Reports surfaced that iCloud vulnerabilities may have allowed hackers to obtain personal photos, including nude images, of over 100 celebrities.

New international cybercrime unit, J-CAT, launches pilot program

The group will bring countries together to address major cyber security threats, including malware and botnets.

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.