Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Facebook virus spam email claims your password was reset due to suspicious activity on your account.

Link goes to malware download sites.

This is another email template for the Asprox botnet to spread malware.


Subject: Facebook password change

 Hi, 

 Your Facebook password was been reset on Thursday, December 11, 2014 at 03:48PM (UTC) due to suspicious activity of your account.

 Operating system: [ some operating system ]
 Browser: [ some browser ]
 IP address: [ some ip address ]
 Estimated location: [ some location city, state, zip, etc ]  

 To restore the password complete this form, please, your request will be considered within 24 hours.

 Thanks,
 The Facebook Security Team
    Facebook, Inc., Attention: Department 425, PO Box 10005, Palo Alto, CA 94303

Picture of fake facebook email adout password reset from asprox botnet.

The IP address and Estimated location fields just come with the email template, each batch of emails gets a different template. They don't mean anything.

 Hi, 

Your Facebook password was been reset on Thursday, December 11, 2014 at 05:09PM (UTC) due to suspicious activity of your account.

Operating system: IOS
Browser: Opera
IP address: 165.149.137.72
Estimated location: Tahoe Valley, CA, US

 

 Hi, 

Your Facebook password was been reset on Thursday, December 11, 2014 at 06:24PM (UTC) due to suspicious activity of your account.

Operating system: Android
Browser: Mozilla Firefox
IP address: 164.12.172.103
Estimated location: Rochester, NY, US

A list of some of the "estimated locations" I have found on these emails:

Walker, WV, US
Rochester, NY, US
Astoria, OR, US
Lehigh Acres, FL, US
Philo, CA, US
Blanchard, PA, US

... and many more.


Header Examples:

Spoofs random stuff in the From headers. The Envelope (MAIL TO:) headers pick up the hostname of the compromised web server that is sending the email.

Received: from demo.onlinehorizons.net [38.111.46.90]
X-Envelope-From: amrtest @demo.onlinehorizons.net
From: "Facebook" <notification @test.use-trade.com>
Subject: Facebook password change

Received: from vps.assamcompany.com [209.140.28.78]
X-Envelope-From: countmei @vps.assamcompany.com
From: "Facebook" <notification @countmeinconference.org>
Subject: Facebook password change

Malware

11 December 2014 

Link to malware download URL

The Link will point to a URL on a compromised web server. The download php file will check your user agent (to make sure you are using windows + IE) and your IP address (to make sure you didn't try to many times like a malware researcher). If the conditions are right, you will be handed back a zip file (which actually is only proxied by the compromised server). The zip will contain an exe trojan which joins your computer to the Asprox botnet. Links are like:

actmedya.com/files.php?fb=omlMzi0VFm4K3/Z5bgwySgHd1lMuAeG0YKdSsOqxi04=
v3f.fr/gallery.php?fb=HblUFXFnmzjRM8+cb4ws0X...
xilicate.com/press.php?fb=M3YM8JIRClwqRNGgFD...
truel.net/tmp/model.php?fb=3JSihGcw4g6Ysm5Injb+4...
tuxedofarms.com/functions.php?fb=so+JcsXPpnZfCQlsSNcTLAe1...
theindustriegirl.com/css.php?fb=NqZS/mAQatHQiSXH1...
trecho.com.uy/tmp/model.php?fb=dDCsXFoDtUnJGUlgz5...

There will be about 100 compromised websites per day used for Asprox downloader locations. The malware isn't actually stored on those servers, but downloaded THROUGH them from another server. Notice the fb= GET parameter for this specific campaign. Others include fdx for fake Fedex Emails and vib for the Viber series.

The EXE can have a unique hash every single 3 minutes, every 6 minutes, a couple times a day, or sometimes the same EXE will be used all day long.

Each EXE will come with 5 to 10 IP addresses to try to report to for updates and instructions.

The most commonly-accepted name for this Asprox trojan is "Kuluoz". If you are using a different name, you and I can never be friends.

Downloaded file : FB_Password_Reset_Form.zip containing FB_Password_Reset_Form.exe 

VirusTotal report 

Avast 		Win32:Malware-gen
CMC Packed.Win32.TDSS.2!O
Comodo TrojWare.Win32.Kuluoz.EMK
Cyren W32/FakeAlert.5!Maximus
F-Prot W32/FakeAlert.5!Maximus
Qihoo-360 Malware.QVM10.Gen

Malwr.com report 

Since this sample didn't play so well on the above sandboxes, I ran it myself:

Classic icon flavor.

Picture of icon of executable from asprox email.

Behavior:

Injected to svchost.exe
svchost.exe had mutex aa[username]
Attempted to check in with c2 infrastructure at:
109.234.156.84:8080
133.242.54.221:443
162.255.86.196:8080
208.81.237.99:8080
70.32.100.120:8080
93.189.94.42:443
94.23.33.107:8080

Those IP addresses are generally compromised servers acting as a command and control proxy. As they are cleaned up, each new exe will likely come with a few new IP addresses and drop the dead ones. After a couple months, it will be rare for another Kuluoz trojan to come with any of the same IP addresses.

What happens after your computer joins the Asprox botnet?

Your computer will be used for whatever they want to use it for.

Popular choices are adfraud, several methods of stealing passwords [1] [2] , sending more malware spam, and anything they want to do. They are like a stolen-computers-as-a-service provider.

The fun new thing (which was old, and just came back) is the Fake Antivirus push described by Brad from malware-traffic-analysis.net.

Rebus Snippet's long-lived rolling Asprox saga.

Herrcore's analysis of the one generation of the windows bot itself.

Kimberly's analysis of several versions and some of the work-related modules.

Brad from malware-traffic-analysis.net has documented many previous Asprox mail campaigns. [1] [2] [3]

If this was at least a little helpful, how about a +1, Like, or Tweet?