Fake Walgreens virus spam email claims they received an order addressed to you which needs your confirmation using the provided link.
Link goes to compromised sites to download Asprox malware.
Big thanks to Project Honey Pot for finding this.
Another big thanks to "Lynn" who sent me more data for this email, including email headers and intact html giving us a better screenshot of this rare and elusive malware email!
Subject: Order Confirmation
[ Walgreens logo ]
AT THE CORNER OF HAPPY & HEALTHY
Pharmacy & Health | Poto | Shop Products
E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
Detailed order information is provided here.
© Copyright 2014 Walgreen Co. All rights reserved.
An earlier submitted picture of the email with slightly mangled html:
Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.
A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.
Received: from [22.214.171.124]
Envelope : <toyotaparts @burdickcars.com>
From: Walgreens <toyotaparts @burdickcars.com>
Subject: Order Confirmation
Received: from unknown (HELO p3plibsmtp01-05.prod.phx3.secureserver.net) ([10.6.12.127])
From: Walgreens <tquanbeck @real-time.com>
Reply-To: Walgreens <tquanbeck @real-time.com>
Subject: Order Status
The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.
Some url examples:
The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. The zip and executable file may be named based on the geo-ip city your request came from, for example: Walgreens_OrderID-156111-West_Jordan.zip containing Walgreens_OrderID-156111-West_Jordan.exe
The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:
ESET-NOD32 a variant of Win32/Kryptik.CMZR
Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup
HTTP POSTs to: 126.96.36.199:8080
HTTP POSTs to:
Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.
Some of these Kuluoz trojans are getting better at avoiding some of the publicly-available sandboxes like Malwr.com. This comes and goes, a constant arms race, I'm sure. The sample I downloaded from the url found by Project Honey Pot (sttc.nu), didn't run so well in those sandboxes. But rest assured, this kuluoz runs fine.
Injects to svchost.exe, aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot.
If this was at least a little helpful, how about a +1, Like, or Tweet?