Today we're seeing another malicious offering from the Asprox botnet, a botnet that has come roaring back to life as of late. Asprox had not been known for being quite this tenacious in the past, that is until the author of the formerly most widely used exploit toolkit, Blackhole, was arrested back in October. Since then, customers of Blackhole jumped ship out of concern that continued use of the toolkit would lead authorities right to their doorsteps. In order to maintain business continuity, spammers and malware authors had no choice but to turn to other alternatives. It would certainly appear that this sudden lull in business created an opportunity for the Asprox botnet, first discovered around 2007, to make a major move.
Today's ploy poses as an invitation to attend a funeral on Thursday Jan. 22nd 2014, which happens to be rather short notice considering it's tomorrow. It also doesn't mention anywhere in the invitation who has deceased, just the time date and fictitious funeral home Eubank Funeral Home & Cremation Services for which it doesn't provide an address or even a general hint as to where it's located. For the rest of these seemingly critical details, the recipient is given a link. Of course this link doesn't supply these details, but instead reaches out to any one of hundreds of possible sites that are hosting the malicious payload. A lot of these sites in the past have had the ability to limit IPs to a single visit. If the same IP tries to connect to the malicious site more than once it simply returns a 404 not found error thereby limiting the effectiveness of researchers. It would also discern between the different browsers that would visit the malicious site to determine whether or not to serve up the malware or the 404 page. Currently though I am having no problem getting malicious samples from any of these pages.
As has also been the case in the past, the malicious host utilizes IP geolocation to customize the malicious payload to appear to be local to the recipient. The file that I receive is named "FuneralCeremony_Gulf_Breeze_32561.zip" which is the city and zip code that I am currently in.
Once the victim is infected, the malware goes to work by injecting itself into running processes to avoid detection, adds itself to startup areas, checks to see if it is running in a debugger, and attempts to disable SafeBoot to make sure it doesn't go anywhere. After all of the initial formalities the malware invites all of its other friends to the party and they start going through all of the victim's things stealing things like browsing histories and cookies, account credentials and passwords and whatever else that catches their attention.
Some of the past Asprox campaigns from this month have included fake notifications from Walmart, Best Buy, Costco and a few different Utility companies masquerading as a monthly statement.