Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

A fake PG&E energy statement  email claims to have your most recent bill and you need to log in to view your statement.

Link goes to a malware download on a compromised website, spreading a variant of the Kuluoz / Dofoil trojan.

This is the Asprox botnet getting back to its roots, with compromised servers, links, user-agent detection, rather than spamming with attachments.


Subject:  Delivery Canceling

Subject: Gas and Electric Usage Statement

PG&E ENERGY STATEMENT 	  	  	Account No: 433242797-3
Statement Date: 01/07/2014
Due Date: 02/01/2014

Your Account Summary
Amount Due on Previous Statement
Payment(s) Recieved Since Last Statement
Previous Unpaid Balance
Current Electric Charges
Current Gas Charges
$344.70
0.0
$344.70
$165.80
49.20 To view your most recent bill, please click here. You must log-in to your account or register
for an online account to view your statement.

Total Amount Due BY 02/01/2014 $559.70

Picture of the fake PGE delivery email from the Asprox botnet.


Header Examples:

Spoofs nothing really, but may leave the costco shipping manager or walmart shipping agent in the "display name" of the From header. Which is hella sloppy, Asprox!

Received: from mailscriptserver1.kriter.com.tr  [81.22.97.35]
   X-Envelope-From: manager @betalojistik.org
   Subject: Delivery Canceling
   From: "Costco Shipping Manager" <manager @betalojistik.org>  <-- sloppy

Received: from a139.bjtonet.com [218.240.52.154] X-Envelope-From: user_swi1tzuk @a139.bjtonet.com Subject: Gas and Electric Usage Statement From: "pge.com" <do_not_reply @bjddlg.com> <-- fixed

Received: from server.hostingdem.it (2582e1c9.rdns.100tb.com) [37.130.225.201] X-Envelope-From: nexteuro @server.hostingdem.it Subject: Express Delivery Failure From: "Costco" <manager @nexteuropa.org> <-- sloppy

Link Samples:

The order link will go to some compromised website that, IF YOU USE THE RIGHT USER-AGENT, MAY provide you a zip file download containing an exe file. The asprox botnet has also been known to send Android-specific malware in the form of an .apk file if you use an Android user-agent, although it has been a while since we've seen that.

Using the wrong user-agent (eg. Mac or Linux) or no user-agent will get you no response, or a fake 404 not found error, or something like that.

Link examples:

www.costa-smeralda-sardinia.com /request /tE9S47JpOqXd96Z3bATzV379cDq262XJlVmvA9DGl9Q= /pge
esector.co /request /UihdIutMmK/slRiAZFN9cn79cDq262XJlVmvA9DGl9Q= /pge
hetgoedenieuws.nl /request /81OqITH/OyJzpm9JheI++H79cDq262XJlVmvA9DGl9Q= /pge

The link, if the user-agent is right (Internet Explorer or sometimes Windows+Firefox), can give you a zip file containing an exe that is sometimes named with your city and zip code. They get that information from your ip address and a geo-ip database or service.

PGE_FullStatement_something.zip containing PGE_FullStatement_[geo-ip city]_[geo ip zip].exe

VirusTotal report 

AhnLab-V3 			Trojan/Win32.Kuluoz 
Ikarus Trojan.Win32.Meredrop
TheHacker Posible_Worm32
Rising PE:Malware.FakeDOC@CV!1.9C3C
TrendMicro PAK_Generic.001
Sophos Mal/Weelsof-E
McAfee Artemis!9B11F0459A01
McAfee-GW-Edition Artemis!9B11F0459A01
ESET-NOD32 a variant of Win32/Kryptik.BSLS

PE signature block Description Krebs Systems
Packers identified PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Malwr.com report  

The executable is compressed using UPX
Checks for the presence of known windows from debuggers and forensic tools

File-Analyzer.net report 

Drops:  C:\Documents and Settings\Administrator\Local Settings\Application Data\fmrlamjh.exe
Data Obfuscation: Binary may include packed or encrypted data, Sample is packed with UPX
HIPS / PFW / Operating System Protection Evasion
Anti Debugging: Checks for kernel debuggers, Creates guard pages
Virtual Machine Detection: Binary or memory string: VBoxTray.exe, VMwareDragDetWndClass, VBoxService.exe
Hooking and other Techniques for Stealthness and Protection
Lowering of HIPS / PFW / Operating System Security Settings: Binary or memory string: wireshark.exe
Language, Device and Operating System Detection: Queries the volume information

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?