Security firm Zscaler Observes that Asprox Botnet Being Abused in Spam Campaign

Security firm Zscaler analyzed and revealed that a fresh spam email campaign has surfaced with the support of Asprox botnet in which emails containing links of shipping receipts purporting from the United States Postal Service (USPS).

Zscaler report says that anyone who gets one of these spam messages and clicks on the attached link will get a file in ZIP format downloaded on to his machine. The downloaded ZIP file looks legitimate Word document but it is actually an executable file, which when opened, taints the receiver or victim's machine with malware.

Chris Mannon, a Security Researcher of Zscaler, analyzed that the ThreatLabZ of the company is seeing a plethora of download locations which kick off the threat but it is clear that the same author is behind it all:

Infosecurity-magazine.com published a report on 2nd June, 2014 quoting Mannon as saying "All links download a similar package - the common factor of all dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP. We're seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080."

Security firm StopMalvertising analyzed Asprox also nicknamed as Kulouz in November 2013 although it has been around since 2008. They observed that the malware thread started as a password-embezzling botnet but its main purpose is to initiate automated SQL (Structured Query Language) injection attacks and Asprox is infamous for spoofing shipping giants like the UPS (United Parcel Service) and FedEx.

According to Zscaler's publication, the malware threat (referring to Asprox) was scoring a literally dangerous 4/52 on VirusTotal and at the hour of publication, the detection software appear to have taken note and the malware strain scored a less compelling 27/52.

Users should always be very careful while clicking on any link coming with email. Mannon said that if a file is downloaded, "never trust an icon!" and "Check the 'right click > properties' (function) to see the true extension."

» SPAMfighter News - 6/10/2014