Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Walgreens virus spam email claims they received an order addressed to you which needs your confirmation using the provided link.

Link goes to compromised sites to download Asprox malware.

Big thanks to Project Honey Pot for finding this.

Picture of tweet from Project Honeypot about the fake Walgreens email.

Another big thanks to "Lynn" who sent me more data for this email, including email headers and intact html giving us a better screenshot of this rare and elusive malware email!


Subject: Order Confirmation

 [ Walgreens logo ]

AT THE CORNER OF HAPPY & HEALTHY

Pharmacy & Health | Poto | Shop Products

E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.

Detailed order information is provided here.

Walgreens

Notice of Privacy Practices :: Terms of Use :: Online Privacy & Security


© Copyright 2014 Walgreen Co. All rights reserved.

Thanks Lynn!

Picture of fake walgreens email with malware link.

An earlier submitted picture of the email with slightly mangled html:

Picture of fake Walgreens email with malware download link.


Headers:

Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

Received: from [185.25.185.3]
Envelope : <toyotaparts @burdickcars.com>
From: Walgreens <toyotaparts @burdickcars.com>
Subject: Order Confirmation

Received: from unknown (HELO p3plibsmtp01-05.prod.phx3.secureserver.net) ([10.6.12.127])
From: Walgreens <tquanbeck @real-time.com>
Reply-To: Walgreens <tquanbeck @real-time.com>
Subject: Order Status

Malware:

The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

Some url examples:

sttc.nu/dirs.php?w=8jhbz5yel1VzRf2adBGrxAbivqTF/GTY2qAG8dW+Cao=

The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. The zip and executable file may be named based on the geo-ip city your request came from, for example: Walgreens_OrderID-156111-West_Jordan.zip containing Walgreens_OrderID-156111-West_Jordan.exe

The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

VirusTotal report 

ESET-NOD32 		a variant of Win32/Kryptik.CMZR
F-Prot W32/FakeAlert.FY.gen!Eldorado
Kaspersky HEUR:Trojan.Win32.Generic
Malwarebytes Trojan.Downloader
McAfee Downloader-FAII!20E35117C332
Norman ZBot.CKEK
Symantec Packed.Generic.463

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP POSTs to: 82.165.155.77:8080

TotalHash report 

HTTP POSTs to:
110.77.220.66:443
96.30.22.96:8080
95.131.70.168:8080
74.221.221.58:8080
195.28.181.184:8080
85.12.29.254:8080
69.64.32.247:443
82.165.155.77:8080

Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

Some of these Kuluoz trojans are getting better at avoiding some of the publicly-available sandboxes like Malwr.com. This comes and goes, a constant arms race, I'm sure. The sample I downloaded from the url found by Project Honey Pot (sttc.nu), didn't run so well in those sandboxes. But rest assured, this kuluoz runs fine.

Picture of asprox kuluoz sample running like a champ.

Injects to svchost.exe, aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot.

If this was at least a little helpful, how about a +1, Like, or Tweet?