Delivery Canceling - Energy Statement - Malware
- Created on Tuesday, 07 January 2014 23:01
- Last Updated on Thursday, 09 January 2014 14:19
A fake PG&E energy statement email claims to have your most recent bill and you need to log in to view your statement.
Link goes to a malware download on a compromised website, spreading a variant of the Kuluoz / Dofoil trojan.
This is the Asprox botnet getting back to its roots, with compromised servers, links, user-agent detection, rather than spamming with attachments.
Subject: Delivery Canceling
Subject: Gas and Electric Usage Statement
PG&E ENERGY STATEMENT Account No: 433242797-3
Statement Date: 01/07/2014
Due Date: 02/01/2014
Your Account Summary
Amount Due on Previous Statement
Payment(s) Recieved Since Last Statement
Previous Unpaid Balance
Current Electric Charges
Current Gas Charges
49.20 To view your most recent bill, please click here. You must log-in to your account or register
for an online account to view your statement.
Total Amount Due BY 02/01/2014 $559.70
Spoofs nothing really, but may leave the costco shipping manager or walmart shipping agent in the "display name" of the From header. Which is hella sloppy, Asprox!
Received: from mailscriptserver1.kriter.com.tr [126.96.36.199] X-Envelope-From: manager @betalojistik.org Subject: Delivery Canceling From: "Costco Shipping Manager" <manager @betalojistik.org> <-- sloppy
Received: from a139.bjtonet.com [188.8.131.52] X-Envelope-From: user_swi1tzuk @a139.bjtonet.com Subject: Gas and Electric Usage Statement From: "pge.com" <do_not_reply @bjddlg.com> <-- fixed
Received: from server.hostingdem.it (2582e1c9.rdns.100tb.com) [184.108.40.206] X-Envelope-From: nexteuro @server.hostingdem.it Subject: Express Delivery Failure From: "Costco" <manager @nexteuropa.org> <-- sloppy
The order link will go to some compromised website that, IF YOU USE THE RIGHT USER-AGENT, MAY provide you a zip file download containing an exe file. The asprox botnet has also been known to send Android-specific malware in the form of an .apk file if you use an Android user-agent, although it has been a while since we've seen that.
Using the wrong user-agent (eg. Mac or Linux) or no user-agent will get you no response, or a fake 404 not found error, or something like that.
www.costa-smeralda-sardinia.com /request /tE9S47JpOqXd96Z3bATzV379cDq262XJlVmvA9DGl9Q= /pge
esector.co /request /UihdIutMmK/slRiAZFN9cn79cDq262XJlVmvA9DGl9Q= /pge
hetgoedenieuws.nl /request /81OqITH/OyJzpm9JheI++H79cDq262XJlVmvA9DGl9Q= /pge
The link, if the user-agent is right (Internet Explorer or sometimes Windows+Firefox), can give you a zip file containing an exe that is sometimes named with your city and zip code. They get that information from your ip address and a geo-ip database or service.
PGE_FullStatement_something.zip containing PGE_FullStatement_[geo-ip city]_[geo ip zip].exe
ESET-NOD32 a variant of Win32/Kryptik.BSLS
PE signature block Description Krebs Systems
Packers identified PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
The executable is compressed using UPX
Checks for the presence of known windows from debuggers and forensic tools
Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\fmrlamjh.exe
Data Obfuscation: Binary may include packed or encrypted data, Sample is packed with UPX
HIPS / PFW / Operating System Protection Evasion
Anti Debugging: Checks for kernel debuggers, Creates guard pages
Virtual Machine Detection: Binary or memory string: VBoxTray.exe, VMwareDragDetWndClass, VBoxService.exe
Hooking and other Techniques for Stealthness and Protection
Lowering of HIPS / PFW / Operating System Security Settings: Binary or memory string: wireshark.exe
Language, Device and Operating System Detection: Queries the volume information
Samples provided to Clam AV and Microsoft Security when this article was created.
If this was at least a little helpful, how about a +1, Like, or Tweet?
Found something bad?
Do your part to clean it up!
Report malicious links to:
Report phishing links to:
Send Virus Samples to:
But most importantly:
Submitting an email to THL
j (a-t) techhelplist (d-o-t) com
password zips with "slick-banana"
Some other GREAT resources