Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Series of fake purchase confirmation malware spam emails claims to thank you for buying, and has order information through the link.

Link goes to malware download sites.

This is another email template for the Asprox botnet to spread malware.


Subject: Thank you for buying from HomeDepot.com

Subject: Order Status

Subject: Details of your order from HomeDepot.com

 We are happy to inform you that our online store HomeDepot.com has an order whose recipients details match yours.  The order could be 
received in any Local Store of HomeDepot.com within the period of 5 days.

Open this link to see full information about your order.

Our blessings to you on a Thanksgiving Day!
HomeDepot.com

Picutre of fake home depot email from asprox botnet about an order.

 

Subject: Acceptance of Order

Subject: Details of your order from Costco

Subject: Thank you for buying from Costco

 Our online store Costco.com received an order and the personal data of the recipient coincide with yours. 
You may get your order in the nearest Local Store.

Attention! Your order can be reserved within 4 days.

You may see order details here.

Happy Thanksgiving Day!

Truly yours,
Costco.com

1998 <97> 2014
Costco Wholesale Corporation
All rights reserved

Picture of fake Costco email with link to asprox malware.

 

Subject: Acceptance of Order

Subject: Details of your order from Target.com

Subject: Thank you for buying from Target.com

 As Thanksgiving nears we want to advise you that our online shop has an order addressed to you. 

You may pick it in any store of Target.com closest to you within four days.

Please, open the link for full order information.

Happy Thanksgiving,

Always yours,
Target.com

TARGET
Privacy policy | cookies | terms & conditions | CA privacy rights
2014 Target Brands, Inc. Target, the Bullseye Design and Bullseye Dog are trademarks of Target Brands, Inc. All rights reserved.

Picture of fake Target acceptance of order asprox malware email.

 

Subject: Thank you for buying from Kroger

Subject: Details of your order from Kroger

Subject: Order Info

 Hereby we inform you that our online store has an order addressed to you. The recipient may pick it in any store of Kroger network. 

Please note that the order is valid only within four days.

Complete information about the order is presented here.

Our blessings of happiness to you!
Happy Thanksgiving Day!

Kroger

All Contents Copyright 2014 The Kroger Co. All Rights Reserved
Pharmacy Privacy Notice | Terms and Conditions | Privacy Policy

Picture of fake Kroger order information asprox malware email.


Header Examples:

Spoofs random junk in the From and Envelope headers. Some of it may come from the compromised web server that is sending the emails. Asprox URL-style emails (vice Attachment-style emails which generally come from infected windows bots) generally come from compromised web servers. A single web server will send over 10,000 emails per day.

Received: from connect4you.ru [188.120.251.80]
X-Envelope-From: webmaster @glazovdentaplus.ru
Subject: Acknowledgment of Order
From: "Costco" <order @glazovdentaplus.ru>

Received: from localhost.localdomain [192.99.0.132]
X-Envelope-From: apache @localhost.localdomain
Subject: Thank you for buying from Costco
From: "Costco" <order @marketingnewsbox.com>

Received: from wallpurple.com ([167.160.167.63]
X-Envelope-From: wallpur @wallpurple.com
Subject: Acknowledgment of Order
From: "Costco" <order @walldesk-hd.com>

Subject: Delivery Notification
Subject: Details of your order from Costco
Subject: Details of your order from HomeDepot.com
Subject: Details of your order from Kroger
Subject: Details of your order from Target.com
Subject: Details of your order from Walmart
Subject: Order Confirmation
Subject: Order Info
Subject: Order Status
Subject: Thank you for buying from Costco
Subject: Thank you for buying from HomeDepot.com
Subject: Thank you for buying from Kroger
Subject: Thank you for buying from Target.com
Subject: Thank you for buying from Walmart
Subject: Thank you for your order

More on this later

Malware

27 November 2014

Link to malware download URL providing : HomeDepotOrderInfo-geo-ip-city.zip containing HomeDepotOrderInfo-geo-ip-city.exe ( for example )

The Link will point to a URL on a compromised web server. The download php file will check your user agent (to make sure you are using windows + IE) and your IP address (to make sure you didn't try to many times like a malware researcher). If the conditions are right, you will be handed back a zip file (which actually is only proxied by the compromised server). The zip will contain an exe trojan which joins your computer to the Asprox botnet. Links are like:

kapsourcing.com/blog.php?dp=HjfXKcld9XbxdykcP5puw...
lannasilvercm.com/user.php?dp=eH/E/JhqQkx/0pMOLyLb...
osmani.net/diff.php?dp=d5EqMyV3VXak6ztsgq77vgBD...
perpersoon.com/help.php?dp=dg346+8NzWHY0EDkIkdXZA7X...
reebate.com/pm/file.php?dp=VooGqDfxFP85tietLum2...
shxk.net.cn/object.php?dp=poo3XVmRz7ikI8MawB7...
zlass.com/header.php?dp=q6yPSuBKm+OcwBddjOPB...
zwm888.com/page.php?dp=nO9d6yAhgDxIZiV4x46tmA...
administramosfincas.com/object.php?c=anuVSYSR86Wbdy...
advconcepts.com/inc.php?t=ILBLi21SfWQh4NKpO0xk6gk4...
balbertime.com/xml.php?dp=XDvb0cxVV11gqMa1+fpeC...
beserajans.com/include.php?c=6GOPieErZ5B+c5Upgbqni...
trip.is/title.php?c=dgn0GVFHiyO5Q6NeL+oWc3R0Fw...
phongvugalaxy.com/config.php?c=20emTd8D4Xo0a8JKCdNl1t...
enshizhijia.com/plugin.php?c=+V5PIkRcRnIQV4uwYo...

There will be about 100 compromised websites per day used for Asprox downloader locations. The malware isn't actually stored on those servers, but downloaded THROUGH them from another server.

The GET request parameters seen in this series are t= for Target, dp= for Home Depot, c= for Costco, and k= for Kroger. The ZIP file and the executables will be named with the GEO-IP city for the IP address where your request was sent from. Which is impressive it looks up the city, names the exe, zips it, names the zip, then send the response.

To avoid blocklists and researchers, if you try too many times, or with the wrong user-agents (they only want Windows), you will probably get back a fake error message:

Picture of an asprox download site faking that it is clean.

Otherwise you may receive something like:

CostcoOrderInfo-Cedar_City.zip containing CostcoOrderInfo-San_Diego.exe
HomeDepotOrderInfo-San_Diego.zip containing HomeDepotOrderInfo-San_Diego.exe

The most commonly-accepted name for this Asprox trojan is "Kuluoz". The EXE can have a unique hash every single 3 minutes, every 6 minutes, a couple times a day, or sometimes the same EXE will be used all day long. Each EXE will come with 5 to 10 IP addresses to try to report to for updates and instructions.

VirusTotal report 

ESET-NOD32 	Win32/TrojanDownloader.Zortob.H
McAfee-GW BehavesLike.Win32.PWSZbot.nh
Norman Kuluoz.EP
Qihoo-360 Malware.QVM10.Gen
Rising PE:Malware.FakeDOC@CV!1.9C3C
TrendMicro HS_KULUOZ.SM13

Created mutexes
ab<USER> (successful)
aa<USER> (successful)

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

TotalHash report 

HTTP Check-in to:
108.179.236.49:8080
1.234.20.244:8080
142.4.25.235:8080
147.102.154.192:443
178.77.98.154:8080
209.234.253.124:8080
87.117.242.95:8080
93.189.94.42:443

What happens after your computer joins the Asprox botnet?

Your computer will be used for whatever they want to use it for.

Popular choices are adfraud, several methods of stealing passwords [1] [2] , sending more malware spam, and anything they want to do. They are like a stolen-computers-as-a-service provider.

Rebus Snippet's long-lived rolling Asprox saga.

Herrcore's analysis of the one generation of the windows bot itself.

Kimberly's analysis of several versions and some of the work-related modules.

Brad from malware-traffic-analysis.net has documented many previous Asprox mail campaigns. [1] [2] [3]

If this was at least a little helpful, how about a +1, Like, or Tweet?


  We are happy to inform you that our online store HomeDepot.com has an order whose recipients details match yours. The order could be received in any Local Store of HomeDepot.com within the period of 5 days.