Asprox botnet campaign shifts tactics, evades detection

Share this article:
Fraudsters have targeted gaming platform Steam by using man-in-the-browser style attacks.
FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign.

Threat actors behind a new malicious email campaign that marshals the Asprox botnet, tweak their malware attributes to evade detection and shift campaign tactics to lure victims, most recently launching court-themed phishing campaigns, according to a blog by FireEye Labs.

After detecting a monthly uptick in malicious email starting late last year, FireEye researchers discovered on further investigation that with every email blast of a phishing campaign employing the Asprox botnet, miscreants changed the attack attributes, using malware evasion methods that were “pioneered by stealthier APT attackers” and making it “difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up…”

Noting that Asprox is highly adaptive to change, Mary Grace Timcang, a malware researcher at FireEye, told SCMagazine.com in an email correspondence, that “in recent weeks they have been very active” and have been “sending thousands of unique md5s through malicious email campaign runs” indicating that "they have developed an evasion technique which causes a file ‘scanning bottleneck' of traditional AV solutions.”

Researchers first discovered malware called Kuluoz, which is the spam component of the Asprox botnet, at the end of last year. Initially targeting a variety of industries in several companies, the campaign included a URL link in the body of emails focused on airline tickets, postal services and license keys.

While many of those themes have remained the same, ongoing attacks have launched its most successful phishing schemes around court notice and court-requested emails, using “a simple zipped email attachment that contains the malicious payload ‘exe,'' FireEye researchers wrote. 

After a victim executes the payload, using a hardcoded mutex it launches an svchost.exe process, then injects its code into it. The code is loaded into memory then unpacked as a Dynamic-link library (DLL). The DLL creates a copy of itself.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.