Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake LINE.me voice message notification claims you missed a call that you can listen to with the provided link.

Link goes to malware download sites.

This is another email template for the Asprox botnet to spread malware.


Subject: You have a voice message 

 [ LINE logo ]   [ Free Calls & Messages ]

LINE Notification

You have a voice message, listen it now.
Time: 21:12:45 01 Oct 2014, Duration: 45sec

Copyright (c) 2014 All rights reserved

Picture of fake LINE voice message notification with Asprox malware download link.


Header Examples:

Spoofs random junk in the From and Envelope headers but consistent per email.

Received: from axigen.aerored.com [67.228.153.226]
X-Envelope-From: mromero @cesvimexico.com.mx
From: "LINE" <mromero @cesvimexico.com.mx>
Subject: You have a voice message

Received: from fep01.xtra.co.nz [210.54.141.239]
X-Envelope-From: info @milfordinfrastructure.co.nz
From: "LINE" <info @milfordinfrastructure.co.nz>
Subject: You have a voice message

Received: from hosting12.ukrnames.com [46.165.209.177]
X-Envelope-From: test @fev.com.ua
From: "LINE" <test @fev.com.ua>
Subject: You have a voice message

Received: from emea01-db3-obe.outbound.protection.outlook.com [157.55.234.138]
X-Envelope-From: fedasgitcyl @fedasgitcyl.e.telefonica.net
From: LINE <fedasgitcyl @fedasgitcyl.e.telefonica.net>
Subject: You have a voice message

Malware

2 October 2014

Link to malware download URL

The Link will point to a URL on a compromised web server. The download php file will check your user agent (to make sure you are using windows + IE) and your IP address (to make sure you didn't try to many times like a malware researcher). If the conditions are right, you will be handed back a zip file (which actually is only proxied by the compromised server). The zip will contain an exe trojan which joins your computer to the Asprox botnet. Links are like:

mohicancanoe.com/alias.php?line=YE7/bWJUJ.....
valleysbestrealty.net/session.php?line=YE7/bWJU......
marm.gr/tmp/cache.php?line=YE7/bWJUJPG/nSa......
holiday-resorts-thailand.com/help.php?line=YE7/bWJUJPG....
evolvecontent.com/title.php?line=YE7/bWJUJPG.....
thewilsonschool.com/stats.php?line=YE7/bWJUJPG/nS....
padworkgb.com/defines.php?line=YE7/bWJUJPG/nSa...
thejourneyulrikedietmann.com/code.php?line=YE7/bWJUJPG/n....
mybiolife.it/help.php?line=YE7/bWJUJPG/n..
getusedcheap.com/options.php?line=YE7/bWJUJPG/n....
panolifeproducts.com/tmp/header.php?line=YE7/bWJUJPG....
yasuno2012.net/object.php?line=YE7/bWJUJPG...

The EXE can have a unique hash every single 3 minutes, every 6 minutes, a couple times a day, or sometimes the same EXE will be used all day long.

Each EXE will come with 5 to 10 IP addresses to try to report to for updates and instructions.

My zip contained LINE_Call_(210)4583840.exe The filename gets a phone area code for the fake phone number by looking up the  geo-ip data for your ip address, in my case 210 for San Antonio, Texas. The most commonly-accepted name for this Asprox trojan is "Kuluoz".

VirusTotal report 

AVG		Crypt3.ATBK
Ad-Aware Gen:Variant.Zusy.109210
AegisLab Troj.W32.Diple
Avast Win32:Malware-gen
Avira TR/Crypt.ZPACK.Gen7
Baidu-Intl Trojan.Win32.Kryptik.bCMIO
BitDefender Gen:Variant.Zusy.109210
ESET-NOD32 a variant of Win32/Kryptik.CMIO
Emsisoft Gen:Variant.Zusy.109210 (B)
F-Secure Gen:Variant.Zusy.109210
Fortinet W32/Kryptik.CMIO!tr
GData Gen:Variant.Zusy.109210
Ikarus Trojan.Win32.Crypt
Kaspersky Net-Worm.Win32.Aspxor.dggd
Panda Trj/CI.A

Created mutexes
ab<USER>
aa<USER>

TotalHash report 

Creates mutexes:
abAdministrator
aaAdministrator

HTTP POSTs to:
110.77.220.66:443
195.28.181.184:8080
37.59.24.98:8080
69.64.32.247:443
74.221.221.58:8080
82.165.155.77:8080
85.12.29.254:8080
96.30.22.96:8080

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP POSTs to:
195.28.181.184:8080

Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

What happens after your computer joins the Asprox botnet?

Your computer will be used for whatever they want to use it for.

Popular choices are adfraud, several methods of stealing passwords [1] [2] , sending more malware spam, and anything they want to do. They are like a stolen-computers-as-a-service provider.

Rebus Snippet's long-lived rolling Asprox saga.

Herrcore's analysis of the one generation of the windows bot itself.

Kimberly's analysis of several versions and some of the work-related modules.

Brad from malware-traffic-analysis.net has documented many previous Asprox mail campaigns. [1] [2] [3]

If this was at least a little helpful, how about a +1, Like, or Tweet?