Scheduled Home Delivery Problem - Asprox Malware

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake Walmart, Costco, or Best Buy email claims your order delivery has failed because the address was not specified correctly and links to form to fill out.

Link goes to a malware download on a compromised website.

This is the Asprox botnet getting back to its roots, with compromised servers, links, user-agent detection, and not spamming from the desktop like some cutwail wannabe.


Subject:  Scheduled Home Delivery Problem

Subject: Standard Delivery Failure

[ Wallmart ] [Walmart Logo]
[ Save money. Live better. ]

Sir/Madam,

Your order WM-007468202 delivery has failed because the address was not specified
correctly. You are advised to fill this form and send it back to us.

If your reply is not received within one week, you will be paid your money back but
17% will be deducted since you order was booked for Christmas holidays.

2013 Wal-Mart Stores, Inc.

::DISCLAIMER::
------------------------------------------------------------------------------
The contents of this e-mail and any attachment(s) are confidential and intended
for the named recipient(s) only. E-mail transmission is not guaranteed to be secure
or error-free as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or may contain viruses in transmission. The e mail and its contents
(with or without referred errors) shall therefore not attach any liability on the
originator or HCL or its affiliates. ... blah blah blah
------------------------------------------------------------------------------

Picture of fake Walmart email about failed delivery with link to malware download.

Subject: Scheduled Home Delivery Problem

[BEST BUY LOGO]
My Besy Buy ID: 001646092
Reward certificate(s) available.

Sir/Madam,

Your order BBY-1324392348 has not been delivered because the specified address was not correct.
Please fill this form and send it back with your reply to this message.

If we do not receive your reply within a week we will pay your money back less 17% because
your order was reserved for the time of Christmas holidays.
Best Buy 7601 Penn Avenue South, Richfield, MN 50696-8178
All trademarks or trade names are properties of their respective owners.
2013 BBY Solutions, Inc. All rights reserved.

Picture of fake Best Buy delivery problem mawlrare email.


Header Examples:

Spoofs nothing in particular yet.

Received: from GWS06.hcl.com [203.105.185.25]
X-Envelope-From: guruprasad.nayak @hcl.com
From: Walmart Delivery Agent <guruprasad.nayak @hcl.com>
Subject: Scheduled Home Delivery Problem

Received: from varadero2.mxwh.net [184.171.246.117]
X-Envelope-From: amirandae @indetec.gob.mx
From: Walmart Delivery Agent <amirandae @indetec.gob.mx>
Subject: Scheduled Home Delivery Problem

Received: from mail.deskmedia.com [199.199.151.58]
X-Envelope-From: petengerry @smig.net
From: Walmart Delivery Agent <petengerry @smig.net>
Subject: Special Order Delivery Problem

Received: from smtp181.dfw.emailsrvr.com [67.192.241.181] X-Envelope-From: scrossman @washingtonautomall.net From: Walmart Delivery Agent <scrossman @washingtonautomall.net> Subject: Standard Delivery Failure

Received: from server.1printer-supply.com [67.222.141.170] X-Envelope-From: maszek @server.1printer-supply.com Subject: Scheduled Home Delivery Problem From: "Best Buy Shipping Agent" <BestBuyInfo @miamistoneinstallers.com>

Attachment / Link Samples:

The order link will go to some compromised website that, IF YOU USE THE RIGHT USER-AGENT, MAY provide you a zip file download containing an exe file. The asprox botnet has also been known to send Android-specific malware in the form of an .apk file if you use an Android user-agent, although it has been a while since we've seen that.

Using the wrong user-agent (eg. Mac or Linux) or no user-agent will get you no response, or a fake 404 not found error, or something like that.

Link examples:

idvpistoia.it /media /D1W4R8QaB3L19AoHwut1fA0VYYn13DXPC4C4Ghmzfx8=/WalmartForm
egypt4all.com /media /FEbdvKG0Rer8YvhOZnEmlta03LJ4C0peSk+QHnlbKdE=/WalmartForm
az2000-b1.nl /message /bDHYwyVgFo9+kbcmAhbm9sx1WNmdQEStVGPdTapUiKA=/WalmartForm
genesisenergy.eu /message /amtfPL3QUtWV4oKY+WbBEMx1WNmdQEStVGPdTapUiKA=/WalmartForm
pfadisins.ch /message /rAmEAatklx2xMN/2o3ng7A0VYYn13DXPC4C4Ghmzfx8=/WalmartForm
nijlandtweewielers.nl /message /JC7lZ+7986Yl8YPuUfYEpH79cDq262XJlVmvA9DGl9Q=/BestBuyForm

The link, if the user-agent is right (Internet Explorer or sometimes Windows+Firefox), can give you a zip file containing an exe that is sometimes named with your city and zip code. They get that information from your ip address and a geo-ip database or service.

WalmartForm-something.zip containing WalmartForm_my-city_my-zip.exe

VirusTotal report 

AhnLab-V3 				Trojan/Win32.Asprox 
Ikarus Trojan.Win32.Meredrop
Symantec Trojan.Fakeavlock
TrendMicro-HouseCall TROJ_GEN.F47V1225
AntiVir TR/Crypt.ZPACK.36619
TheHacker Posible_Worm32
Rising PE:Malware.FakeDOC@CV!1.9C3C
TrendMicro PAK_Generic.001
Sophos Mal/Weelsof-E
Kaspersky Backdoor.Win32.Androm.bkdr
Baidu-International Backdoor.Win32.Androm.Aqkm
McAfee Artemis!066F5EAC74CD

Malwr.com report  

The executable is compressed using UPX
Checks for the presence of known windows from debuggers and forensic tools

File-Analyzer.net report 

Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\nhbjjbqa.exe
Data Obfuscation: Binary may include packed or encrypted data, Sample is packed with UPX <-- new for asprox?
HIPS / PFW / Operating System Protection Evasion
Anti Debugging: Checks for kernel debuggers, Creates guard pages
Virtual Machine Detection: Binary or memory string: VBoxTray.exe, VMwareDragDetWndClass, VBoxService.exe
Hooking and other Techniques for Stealthness and Protection
Lowering of HIPS / PFW / Operating System Security Settings: Binary or memory string: wireshark.exe
Language, Device and Operating System Detection: Queries the volume information

More about Asprox

Kimberly at StopMalvertising.com on asprox

Michal Ambroz at Rebus Snippets on asprox

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity