Asprox Malware Borrowing Stealth from APT Campaigns

The Asprox botnet has evolved to include APT characteristics that help it evade detection by security software.

Cybercriminals and advanced attackers are freely borrowing from one another’s repertoires to great success.

The latest example involves spammers firing off up to a half-million email messages during limited campaign segments without triggering any detection alarms. Security company FireEye said the attackers have found a winning formula to evade detection in one used by a number of APT campaigns in which attack attributes are changed at a higher rate than IDS and other defenses can keep up.

The campaigns, carried out by the Asprox botnet, were first spotted late last year and by the end of May were spiking noticeably.

“Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys,” FireEye said in a report.

In the past, APT campaigns carried out by nation states for the purposes of economic espionage or intelligence gathering, have begun to rely on tactics used in commercial malware campaigns. In May 2013, advanced attacks against NGOs, technologies companies, government agencies were spotted, and hints were found that the organizers had either borrowed or purchased commercial malware and propagation tools from the criminal underground.

The Asprox campaigns have a much wider reach, infecting victims in countries worldwide in varied industries. The most recent iteration spotted by FireEye had also moved from including links to malicious sites and malware downloads, to embedding malicious code in attachments pretending to be a Microsoft Office document in a .zip file.

Once the victim falls for the phishing or spam email and opens the infected attachment, the malware is injected into a process created by the attacker. Soon backdoor channels are opened to command and control servers and data is moved off machines in an encrypted format to the attackers.

Soon backdoor channels are opened to command and control servers and data is moved off machines in an encrypted format to the attackers.

Formerly, Asprox campaigns used themes that ranged from airline tickets to United States Postal Service spam. The attackers have moved off those themes to court-related emails. Victims are seeing phony notices for court appearances, warrants, hearing dates and pre-trial notices.

And it seems to be working.

“We saw about 6400 unique MD5s sent out on May 29th. That is a 16,000 percent increase in unique MD5s over the usual malicious email campaign we’d observed,” FireEye said. “Compared to other recent email campaigns, Asprox uses a volume of unique samples for its campaign.”

FireEye also said that campaigns that kicked off in May and lasted into June also were relying on a host of new command and control IP addresses. The malware includes commands to download additional code from a third-party site, code updates, registry modifications and even a command to remove itself, among others.

“The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals,” FireEye said. “And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware.”

Suggested articles