A new spam campaign has emerged in support of the Asprox botnet. The scheme involves shipping receipt emails that contain malicious links and purport to come from the United States Postal Service (USPS).
Anyone who receives one of these emails and clicks on the link therein will have a zip file downloaded onto their machine, according to a Zscaler report. After a user downloads the zip file, it shows up as a seemingly legitimate looking Word document on the Windows desktop. That file is in actuality an executable which must be opened before the user becomes infected with the malware.
Researchers from the security firm StopMalvertising analyzed Asprox – also known as Kulouz – in November. They found that the strain of malware began as a password-stealing botnet, but has since evolved to where it’s primary purpose is to launch automated SQL injection attacks. Asprox, they say, is notorious for spoofing shipping companies like the United Parcel Service and FedEx.
Asprox is not new, with references to it on Threatpost dating back as far as 2009.
As of Zscaler’s publication, the threat was scoring a fairly dangerous 4/52 on VirusTotal. At the time of our publication, the detection engines appear to have taken notice, and the threat is now scoring a less potent 27/52.
According to the report, the malware copies itself into an infected user’s Local Application Data before creating an autostarter to ensure that the infection stays around even after restart.
“The common factor across all of these dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP as reported by StopMalvertising,” wrote Chris Mannon in the Zscaler analasys. “We’re seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080.”