FireEye says that Cybercriminals Adopt Techniques Silently to Bypass Traditional Defenses

Security researchers of security firm FireEye have cautioned stating that mostly all email scammers are now employing the same silent techniques initiated by APT (Advanced Persistent Threat) attackers to bypass conventional defenses which could be a disturbing development for information security industry.

FireEye Labs has been following Asprox botnet since late 2013 that uses Kuluoz malware to infect systems and exfiltrate insightful data from several targets.

It has been observed that the group behind the campaign has been sending up to ten thousand emails each day during an epidemic and constantly changing the delivery techniques of malware to dodge customary AV, IPS, file-based sandboxes and firewalls.

The gang has altered "hardcoded strings, remote access commands and encryption keys" of the malware and also started sending malicious attachment instead of malicious URL in its phishing emails with different content to enhance the rate of infection.

The attacker injects the malware into a process the moment the victim falls for the phishing or spam message and opens the tainted attached file. Soon after backdoors are opened to C&C servers and information is sent to attackers from the systems in an encrypted format.

Previously, attackers used themes ranging from airplane tickets to USPS (United States Postal Service) spam in Asprox campaigns and now they have moved to themes of court-related emails. Victims are now receiving fake notifications for warrants, court appearances, hearing dates and pre-trial notices.

And they appear to be working well.

Alarmingly, there was an increase in the operation activity during the end of May 2014 as Asprox was most lively compared to other cybercriminal activities carried out by threats observed by FireEye (CryptoLoker, Sality, Mariposa, H-worm and TDSS).

It has been seen that the campaign has been distributed mostly at US, Canada, UK, Saudi Arabia, France, Japan and South Korea.

Softpedia.com reported on 17th June, 2014 stating a conclusion by FireEye as "every malicious email campaign of Asprox botnet changes the method of enticing victims and C2 domains along with technical details once in a month and with every improvement, traditional security methods find it more difficult to detect type of malware."

» SPAMfighter News - 6/26/2014