Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Starbucks Coffee Company  malware spam email claims AT&T sent you this gift e-card just for the heck of it.

Link goes to malware download sites.

This is another email template for the Asprox botnet to spread malware.


Subject: Enjoy your Starbucks Card eGift

Subject: Starbucks Card eGift

 *  STARBUCKS  *
Starbucks Coffee Company

Enjoy your Starbucks Card eGift
AT&T has sent you a $20* Starbucks Card eGift. While you think of your next favorite beverage to enjoy, take a look at your gift and how it works.

Enjoing your eGift is easy. Just print it out and bring it into any participating Sturbucks store.

Your Card Security Code: 4405 3807

Print Your Gift

© 2014 Starbucks Corporation. All rights reserved.

Picture of fake Starbucks give card ecard email with asprox malware link.


Header Examples:

Spoofs random junk in the From and Envelope headers. Some of it may come from the compromised web server that is sending the emails. Asprox URL-style emails (vice Attachment-style emails) generally come from compromised web servers. A single web server will send over 10,000 emails per day.

Received: from chr.christianmoney.com [198.57.177.216]
X-Envelope-From: bolag @chr.christianmoney.com
Subject: Enjoy your Starbucks Card eGift
From: "Starbucks" <support @mybridgeoflife.com>

Received: from idc-27-254-66-226.csloxinfo.com [27.254.66.226]
X-Envelope-From: inettester @idc-27-254-66-226.csloxinfo.com
Subject: Enjoy your Starbucks Card eGift
From: "Starbucks" <support @welovebangkok.com>

Received: from p3nlsmtp15.shr.prod.phx3.secureserver.net [72.167.234.240]
X-Envelope-From: noreply @secureserver.net
Subject: Starbucks Card eGift
From: "Starbucks" <support @unisonventures.com>

Malware

8 October 2014

Link to malware download URL

The Link will point to a URL on a compromised web server. The download php file will check your user agent (to make sure you are using windows + IE) and your IP address (to make sure you didn't try to many times like a malware researcher). If the conditions are right, you will be handed back a zip file (which actually is only proxied by the compromised server). The zip will contain an exe trojan which joins your computer to the Asprox botnet. Links are like:

lifestylebiz.com.au/blog/view.php?stb=vB2lLi3eOeu1w2rM29Vs4W....
aromacoffeebars.com/blog.php?stb=QhMHpJHPyISq24QVqM54EvpYIT...
advangrp.com/start.php?stb=QhMHpJHPyISq24QVqM54EggwdYnf...
mamanfloutch.com/title.php?stb=MzJ8sE8iIYpkYSch+nfIQZKsx...
aspdotnetsolution.com/error.php?stb=MzJ8sE8iIYpkYSch+nfIQa1...
obsegorbecastellon.es/diff.php?stb=YXgagzfUPnxV/28NCgZOcPS...
idatingreviews.net/search.php?stb=YXgagzfUPnxV/28NCgZOcAl2...
casaconnections.co.uk/template.php?stb=1vLiSM2j5w2WotN+ojPpdJoDn...
jeuxgrattage.net/defines.php?stb=lmHVhMgrHpucjUrSxCohPyk4Pcsn...

There will be about 100 compromised websites per day used for Asprox downloader locations. The malware isn't actually stored on those servers, but downloaded THROUGH them from another server. Notice the stb= GET parameter for this specific campaign. Others include fdx for fake Fedex Emails and vib for the Viber series.

The EXE can have a unique hash every single 3 minutes, every 6 minutes, a couple times a day, or sometimes the same EXE will be used all day long.

Each EXE will come with 5 to 10 IP addresses to try to report to for updates and instructions.

My zip contained Label_US_San_Diego.exe The filename gets the city from the GEO-IP data of the IP address that clicked the download link. In my case, a San Diego IP address.

The most commonly-accepted name for this Asprox trojan is "Kuluoz".

VirusTotal report 

ESET-NOD32 		a variant of Win32/Kryptik.CMZR
F-Prot W32/FakeAlert.FY.gen!Eldorado
Kaspersky HEUR:Trojan.Win32.Generic
Malwarebytes Trojan.Downloader
McAfee Downloader-FAII!20E35117C332
Norman ZBot.CKEK
Symantec Packed.Generic.463

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP POSTs to: 82.165.155.77:8080

TotalHash report 

HTTP POSTs to:
110.77.220.66:443
96.30.22.96:8080
95.131.70.168:8080
74.221.221.58:8080
195.28.181.184:8080
85.12.29.254:8080
69.64.32.247:443
82.165.155.77:8080

Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

What happens after your computer joins the Asprox botnet?

Your computer will be used for whatever they want to use it for.

Popular choices are adfraud, several methods of stealing passwords [1] [2] , sending more malware spam, and anything they want to do. They are like a stolen-computers-as-a-service provider.

Rebus Snippet's long-lived rolling Asprox saga.

Herrcore's analysis of the one generation of the windows bot itself.

Kimberly's analysis of several versions and some of the work-related modules.

Brad from malware-traffic-analysis.net has documented many previous Asprox mail campaigns. [1] [2] [3]

If this was at least a little helpful, how about a +1, Like, or Tweet?


AT&T has sent you a $20* Starbucks Card eGift. While you think of your next favorite beverage to enjoy, take a look at your gift and how it works.