Threats, Malware

Asprox botnet campaign shifts tactics, evades detection

June 24, 2014

Threat actors behind a new malicious email campaign that marshals the Asprox botnet, tweak their malware attributes to evade detection and shift campaign tactics to lure victims, most recently launching court-themed phishing campaigns, according to a blog by FireEye Labs.

After detecting a monthly uptick in malicious email starting late last year, FireEye researchers discovered on further investigation that with every email blast of a phishing campaign employing the Asprox botnet, miscreants changed the attack attributes, using malware evasion methods that were “pioneered by stealthier APT attackers” and making it “difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up…”

Noting that Asprox is highly adaptive to change, Mary Grace Timcang, a malware researcher at FireEye, told SCMagazine.com in an email correspondence, that “in recent weeks they have been very active” and have been “sending thousands of unique md5s through malicious email campaign runs” indicating that "they have developed an evasion technique which causes a file ‘scanning bottleneck' of traditional AV solutions.”

Researchers first discovered malware called Kuluoz, which is the spam component of the Asprox botnet, at the end of last year. Initially targeting a variety of industries in several companies, the campaign included a URL link in the body of emails focused on airline tickets, postal services and license keys.

While many of those themes have remained the same, ongoing attacks have launched its most successful phishing schemes around court notice and court-requested emails, using “a simple zipped email attachment that contains the malicious payload ‘exe,'' FireEye researchers wrote. 

After a victim executes the payload, using a hardcoded mutex it launches an svchost.exe process, then injects its code into it. The code is loaded into memory then unpacked as a Dynamic-link library (DLL). The DLL creates a copy of itself.

According to the FireEye blog, “the process will first check itself in the startup registry key, so a compromised endpoint will have a registry populated with the executable.

The malware communicates with a command and control node through a variety of encryption techniques, via an RSA-encrypted SSL session using Microsoft Base Cryptographic Provider. The payloads are RC4-encrypted and use a hardcoded public key.

Researchers noted that attackers used separate sets of C2 nodes for the two large-scale campaigns tracked in April and May.  

FireEye expects to see other operators to follow suit with email campaigns that can circumvent traditional defenses.

“Evasion techniques developed by cyber criminals indicate that they are doing their research on traditional defense techniques security solution providers have,” Timcang said. “This means difficulty for these traditional techniques to keep up with new, well-researched attacks and protect users from compromise and infection.”

prestitial ad