Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


A fake PG&E energy statement  email claims to have your most recent bill and you need to log in to view your statement.

Link goes to a malware download on a compromised website, spreading a variant of the Kuluoz / Dofoil trojan.

This is the Asprox botnet getting back to its roots, with compromised servers, links, user-agent detection, rather than spamming with attachments.

Subject:  Delivery Canceling

Subject: Gas and Electric Usage Statement

PG&E ENERGY STATEMENT 	  	  	Account No: 433242797-3
Statement Date: 01/07/2014
Due Date: 02/01/2014

Your Account Summary
Amount Due on Previous Statement
Payment(s) Recieved Since Last Statement
Previous Unpaid Balance
Current Electric Charges
Current Gas Charges
49.20 To view your most recent bill, please click here. You must log-in to your account or register
for an online account to view your statement.

Total Amount Due BY 02/01/2014 $559.70

Picture of the fake PGE delivery email from the Asprox botnet.

Header Examples:

Spoofs nothing really, but may leave the costco shipping manager or walmart shipping agent in the "display name" of the From header. Which is hella sloppy, Asprox!

Received: from  []
   X-Envelope-From: manager
   Subject: Delivery Canceling
   From: "Costco Shipping Manager" <manager>  <-- sloppy

Received: from [] X-Envelope-From: user_swi1tzuk Subject: Gas and Electric Usage Statement From: "" <do_not_reply> <-- fixed

Received: from ( [] X-Envelope-From: nexteuro Subject: Express Delivery Failure From: "Costco" <manager> <-- sloppy

Link Samples:

The order link will go to some compromised website that, IF YOU USE THE RIGHT USER-AGENT, MAY provide you a zip file download containing an exe file. The asprox botnet has also been known to send Android-specific malware in the form of an .apk file if you use an Android user-agent, although it has been a while since we've seen that.

Using the wrong user-agent (eg. Mac or Linux) or no user-agent will get you no response, or a fake 404 not found error, or something like that.

Link examples: /request /tE9S47JpOqXd96Z3bATzV379cDq262XJlVmvA9DGl9Q= /pge /request /UihdIutMmK/slRiAZFN9cn79cDq262XJlVmvA9DGl9Q= /pge /request /81OqITH/OyJzpm9JheI++H79cDq262XJlVmvA9DGl9Q= /pge

The link, if the user-agent is right (Internet Explorer or sometimes Windows+Firefox), can give you a zip file containing an exe that is sometimes named with your city and zip code. They get that information from your ip address and a geo-ip database or service. containing PGE_FullStatement_[geo-ip city]_[geo ip zip].exe

VirusTotal report 

AhnLab-V3 			Trojan/Win32.Kuluoz 
Ikarus Trojan.Win32.Meredrop
TheHacker Posible_Worm32
Rising PE:Malware.FakeDOC@CV!1.9C3C
TrendMicro PAK_Generic.001
Sophos Mal/Weelsof-E
McAfee Artemis!9B11F0459A01
McAfee-GW-Edition Artemis!9B11F0459A01
ESET-NOD32 a variant of Win32/Kryptik.BSLS

PE signature block Description Krebs Systems
Packers identified PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser report  

The executable is compressed using UPX
Checks for the presence of known windows from debuggers and forensic tools report 

Drops:  C:\Documents and Settings\Administrator\Local Settings\Application Data\fmrlamjh.exe
Data Obfuscation: Binary may include packed or encrypted data, Sample is packed with UPX
HIPS / PFW / Operating System Protection Evasion
Anti Debugging: Checks for kernel debuggers, Creates guard pages
Virtual Machine Detection: Binary or memory string: VBoxTray.exe, VMwareDragDetWndClass, VBoxService.exe
Hooking and other Techniques for Stealthness and Protection
Lowering of HIPS / PFW / Operating System Security Settings: Binary or memory string: wireshark.exe
Language, Device and Operating System Detection: Queries the volume information

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?