Asprox botnet campaign shifts tactics, evades detection

Share this article:
Fraudsters have targeted gaming platform Steam by using man-in-the-browser style attacks.
FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign.

Threat actors behind a new malicious email campaign that marshals the Asprox botnet, tweak their malware attributes to evade detection and shift campaign tactics to lure victims, most recently launching court-themed phishing campaigns, according to a blog by FireEye Labs.

After detecting a monthly uptick in malicious email starting late last year, FireEye researchers discovered on further investigation that with every email blast of a phishing campaign employing the Asprox botnet, miscreants changed the attack attributes, using malware evasion methods that were “pioneered by stealthier APT attackers” and making it “difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up…”

Noting that Asprox is highly adaptive to change, Mary Grace Timcang, a malware researcher at FireEye, told SCMagazine.com in an email correspondence, that “in recent weeks they have been very active” and have been “sending thousands of unique md5s through malicious email campaign runs” indicating that "they have developed an evasion technique which causes a file ‘scanning bottleneck' of traditional AV solutions.”

Researchers first discovered malware called Kuluoz, which is the spam component of the Asprox botnet, at the end of last year. Initially targeting a variety of industries in several companies, the campaign included a URL link in the body of emails focused on airline tickets, postal services and license keys.

While many of those themes have remained the same, ongoing attacks have launched its most successful phishing schemes around court notice and court-requested emails, using “a simple zipped email attachment that contains the malicious payload ‘exe,'' FireEye researchers wrote. 

After a victim executes the payload, using a hardcoded mutex it launches an svchost.exe process, then injects its code into it. The code is loaded into memory then unpacked as a Dynamic-link library (DLL). The DLL creates a copy of itself.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

EFF intros wireless router software to boost industry standard

EFF intros wireless router software to boost industry ...

This weekend, the digital rights group released a "hacker alpha" version of its Open Wireless Router software.

Breaches driving organizational security strategy, survey indicates

Breaches driving organizational security strategy, survey indicates

CyberArk interviewed 373 IT security executives and other senior management in North America, Europe and the Asia-Pacific as part of its eighth annual Global Advanced Threat Landscape survey.

Siemens industrial products impacted by four OpenSSL vulnerabilities

The vulnerabilities can be exploited remotely, and fairly easily, by an attacker to hijack sessions and crash the web server of the product.