Death Notification - Asprox Malware

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake funeral announcement email from someone like the Amos Family or Eubank Funeral Home claims you can find out more information for the memorial service by clicking a link.

The link goes to a compromised server run by the Asprox botnet, which may give you a kuluoz / dofoil trojan horse or other virus.

Doesn't spoof anything in particular, but usually the Envelope header matches the From header.


Subject:  Death notification

The Amos Family

Funeral Announcement

Hereby we want to share your sorrow for your dear friend who passed away on Friday, January 10, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service
that will be held on Monday, January 13, 2014 at the Ocker Funeral Home, Arkansas.

Please find more detailed information about the memorial service here.

Sincerely,
Funeral Home Secretary,
Elijah Spears

1946 - 2014 The Amos Family. All Rights Reserved. | Privacy Policy

Picture of fake funderal announcement email with malware link.

Subject: Death notification

Eubank
Funeral Home & Cremation Services

For this unprecedented event, we offer our deepest prayers of condolence and invite to you
to be present at the celebration of your friends life service on Thursday, January 17, 2014
that will take place at Eubank
Funeral Home at 11:00 a.m.

Please find invitation and more detailed information about the farewell ceremony here .

Best wishes and prayers,

Funeral home receptionist,
Matthew Knowles

Copyright 2014 Funeral Home Website Design By: Frazer Consultants LLC

Picture of another asprox funeral email for eubank funeral home.


Header Examples:

More info as it comes, but mostly doesn't spoof anything. In true asprox fashion, an email is consistent in From, Envelope, and HELO.

From: The_Amos_Family <Alpesh @spacestem.com>
Subject: Death_notification

Received: from mailer.xnote.com [166.70.122.100] X-Envelope-From: raymond @xnote.com From: Eubank Funeral Home <raymond @xnote.com> Subject: Death notification

Link Samples:

The order link will go to some compromised website that, IF YOU USE THE RIGHT USER-AGENT, MAY provide you a zip file download containing an exe file. The asprox botnet has also been known to send Android-specific malware in the form of an .apk file if you use an Android user-agent, although it has been a while since we've seen that.

Using the wrong user-agent (eg. Mac or Linux) or no user-agent will get you no response, or a fake 404 not found error, or something like that.

Link examples:

thermorisecoil.com /box /z1KjMeIqtVzUG4foXEtmqehzrh5R63HCprglJMghxBo= /Funeral
mconnectsolutions.com /message /mhZneJfpSrH7ko//5zFBoQ0VYYn13DXPC4C4Ghmzfx8=/FuneralInvitation

The link, if the user-agent is right (Internet Explorer or sometimes Windows+Firefox), can give you a zip file containing an exe that is sometimes named with your city and zip code. They get that information from your ip address and a geo-ip database or service.

VirusTotal report 

AhnLab-V3 			Trojan/Win32.Kuluoz 
Ikarus Trojan.Win32.Meredrop
TheHacker Posible_Worm32
Rising PE:Malware.FakeDOC@CV!1.9C3C
TrendMicro PAK_Generic.001
Sophos Mal/Weelsof-E
McAfee Artemis!9B11F0459A01
McAfee-GW-Edition Artemis!9B11F0459A01
ESET-NOD32 a variant of Win32/Kryptik.BSLS

PE signature block Description Krebs Systems
Packers identified PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Malwr.com report  

The executable is compressed using UPX
Checks for the presence of known windows from debuggers and forensic tools

File-Analyzer.net report 

Drops:  C:\Documents and Settings\Administrator\Local Settings\Application Data\fmrlamjh.exe
Data Obfuscation: Binary may include packed or encrypted data, Sample is packed with UPX
HIPS / PFW / Operating System Protection Evasion
Anti Debugging: Checks for kernel debuggers, Creates guard pages
Virtual Machine Detection: Binary or memory string: VBoxTray.exe, VMwareDragDetWndClass, VBoxService.exe
Hooking and other Techniques for Stealthness and Protection
Lowering of HIPS / PFW / Operating System Security Settings: Binary or memory string: wireshark.exe
Language, Device and Operating System Detection: Queries the volume information

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity