Asprox botnet campaign shifts tactics, evades detection

FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign.
FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign.

Threat actors behind a new malicious email campaign that marshals the Asprox botnet, tweak their malware attributes to evade detection and shift campaign tactics to lure victims, most recently launching court-themed phishing campaigns, according to a blog by FireEye Labs.

After detecting a monthly uptick in malicious email starting late last year, FireEye researchers discovered on further investigation that with every email blast of a phishing campaign employing the Asprox botnet, miscreants changed the attack attributes, using malware evasion methods that were “pioneered by stealthier APT attackers” and making it “difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up…”

Noting that Asprox is highly adaptive to change, Mary Grace Timcang, a malware researcher at FireEye, told in an email correspondence, that “in recent weeks they have been very active” and have been “sending thousands of unique md5s through malicious email campaign runs” indicating that "they have developed an evasion technique which causes a file ‘scanning bottleneck' of traditional AV solutions.”

Researchers first discovered malware called Kuluoz, which is the spam component of the Asprox botnet, at the end of last year. Initially targeting a variety of industries in several companies, the campaign included a URL link in the body of emails focused on airline tickets, postal services and license keys.

While many of those themes have remained the same, ongoing attacks have launched its most successful phishing schemes around court notice and court-requested emails, using “a simple zipped email attachment that contains the malicious payload ‘exe,'' FireEye researchers wrote. 

After a victim executes the payload, using a hardcoded mutex it launches an svchost.exe process, then injects its code into it. The code is loaded into memory then unpacked as a Dynamic-link library (DLL). The DLL creates a copy of itself.

Page 1 of 2
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters