Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake White Wedding Agency wedding invitation email invites you to celebrate your joining the Asprox Botnet and have cake.

Links go to cracked websites in a multi-tiered malware delivery system, with malware available for windows and android.

This is a likely successor to the "DHL Pack Station Virus" series.


Subject: Wedding Invitation

White

wedding agency

We would like to invite you to celebrate our wedding
in October 1st, Tuesday, 4 p.m.
The celebration will be followed by a reception.

Please, click here for the full invitation text.
If the link are not working, please move the message to"Inbox" folder.

2005 - 2013 Copyright White Agency s.r.o. | Legal Disclaimer


Asprox botnet email, fake white wedding agency invitation.


Header samples:

Not much spoofing on this round.

Received: from lokman.istdns.com [188.132.193.74]
X-Envelope-From: wwwkumru @lokman.istdns.com
From: "Wedding Agent Michael Franklin" <michael_franklin75 @kumrum.com>
Subject: Invitation

Received: from web9.hspheredns.com [208.77.156.35]
X-Envelope-From: httpd @web9.hspheredns.com
From: "Wedding Agent Jason Matthews" <jason_matthews96 @triplejcontracting.ca>
Subject: Wedding Invitation

Received: from serv16.hostland.ru [77.234.200.226]
X-Envelope-From: host2097 @serv16.hostland.ru
From: "Wedding Agent Jacob Farmer" <jacob_farmer35 @viveskinet.ru>
Subject: Wedding Invite

Received: from smtp01-arc.via-numerica.net [80.245.16.161]
X-Envelope-From: webmaster @franchise-dcm.fr
From: "Wedding Agent Justin Gallegos" <justin_gallegos19 @franchise-dcm.fr>
Subject: Invitation

Received: from hostde2.fornex.org [212.224.113.144]
X-Envelope-From: k5134 @hostde2.fornex.org
From: "Wedding Agent Benjamin Serrano" <benjamin_serrano43 @natali-tebenkova.com>
Subject: Wedding Invitation

Received: from mail19c.g19.rapidsite.net [204.202.242.56]
X-Envelope-From: webmaster @rosslarerechargeables.com
From: "Wedding Agent Santiago Vasquez" <santiago_vasquez70 @rosslarerechargeables.com>
Subject: Invitation

Received: from 037b139.netsolvps.com [207.204.53.169]
X-Envelope-From: apache @037b139.netsolvps.com
From: "Wedding Agent Jacob Mason" <jacob_mason76 @honestconversations.com>
Subject: Wedding Invitation

Received: from wsmtp.whsecure.net [66.232.22.79]
X-Envelope-From: httpd @foxtrot2.whsecure.net
From: "Wedding Agent Justin Nunez" <justin_nunez39 @claiminvestigations.com>
Subject: Invitation

Received: from wprofy.ru [62.109.15.182]
X-Envelope-From: elena @airbooking.ru
From: "Wedding Agent Ethan Maynard" <ethan_maynard44 @airbooking.ru>
Subject: Wedding Invite

Link Examples:

Links go to compromised websites, most likely in the Asprox botnet system. The landing sites will check for user-agent and maybe IP addresses, and can blacklist if you keep trying. If the first tier choses to ignore you, you get a fake 404 Error Page Not Found.

aujardindeden.com /info.php ?inv=AemsYGfzJnw3RuLq1ptA4c9jdwQfdNMoMmKi+xFcGhI=
latika.virtualcolors.net /info.php ?inv=ST0VURn /I5nE1CrneTQzmNCoEzXYI0FAF1sbVAkXmCk=
habitualnoise.com /info.php ?inv=lwIxE6ntFFgw7eZc11uDJvqf7j2oGM2fHDz6uEbnlgk=
estorage.gaviotasimbac.com /info.php ?inv=zXgSyLERUw /roBbxLLlyz9W1kMkiW4C...
heykoco.com /info.php ?inv=YuJ+iao4kV7r3z3hrsPQ9tCoEzXYI0FAF1sbVAkXmCk=
btr.ae /info.php ?inv=sy8eOs2ik /7CG4b6Wa1j05P5x6bFYBvrV81FZMBf4UE=
aujardindeden.com /info.php ?inv=eG03gR8JHgGTUB8jKoNhv89jdwQfdNMoMmKi+xFcGhI=
shop-nhl.info /info.php ?inv=ezli1z8n29u9JYAfF9ZBo25M /nQ41zSsKnFBFfxIoAg=
s455567774.websitehome.co.uk /info.php ?inv=8S0lhedGDM2JNMDVyB9uBVahx3...
anztradingcompany.com /item.php ?invite=qjUqxBciZ+CKOPEz/JRWGta03LJ4C0pe...

Depending on your user-agent and other conditions, the next tier up from the landing page may elect to send a download or a fake 404 Error Page Not Found.

Windows user-agents may get an exe in a zip file.

wedding-invitation.exe : virustotal analysis: here

Kaspersky 	Trojan-Downloader.Win32.Dofoil.qxi 
TrendMicro TROJ_DOFOIL.SMJ
Panda Suspicious file
McAfee Artemis!6D383A9E45C6
ESET-NOD a variant of Win32/Injector.AMJO

wedding-invitation.exe: malwr.com analysis: here

Installs itself for autorun at Windows startup

Android users may get an .apk file. Interestingly I got a different .apk file when using an android + fennec user-agent vs androind + webkit user-agent on this last go-around. One of the .apk files was invalid, but still contained all the .apk parts.

android fennec .apk 10 sep 2013 : joesandbox analysis: here

android webkit .apk 10 sep 2013 : joesandbox analysis: here

android webkit .apk 10 sep 2013: virustotal analysis: here

18 Oct 2013 Variant:

If this is asprox, it is known to generate a new EXE file on a time schedule. So this may not be that relevant.
 However, the trend around this date is to name the exe with the geo-ip city of machine requesting the webpage. ie. Wedding_Invitation_San_Antonio.exe

VirusTotal report: here

Malwr.com report: here

Posts http data to: 
94.247.168.26:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
96.30.44.184:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
178.79.144.118:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
178.254.24.182 /460326245047F2B6E405E92260B09AA0E35D7CA2B1

If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}