Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake parking violation notice virus spam email claims that your parking citations have not been paid and the fines are due in a specified number of days.

Link goes to compromised sites to download Asprox malware.


Subject: Parking Violation Notice

 Parking violation notice

City of New York records indicate that a parking citation(s) issued to the vehicle described below has not
been paid. This fines and applicable penalties area past due and must be paid within the next ten calendar
days. DMV records show that you are/were the registered owner at the time this vehicle was cited. Therefore,
you are legally responsible for responding to this notice.
Ticket Number Violation Fine Payment Received AMOUNT DUE
7099135 PROHIBITED PARKING $40 $0.00 $40
For more information, please visit here and get your parking ticket.

Subject: Parking Violation Notice

 Parking violation notice

City of Phoenix records indicate that a parking citation(s) issued to the vehicle described below has not been
paid. This fines and applicable penalties area past due and must be paid within the next ten calendar days. DMV
records show that you are/were the registered owner at the time this vehicle was cited. Therefore, you are
legally responsible for responding to this notice.
Ticket Number Violation Fine Payment Received AMOUNT DUE
5135977 HANDICAPPED SPACE VIOLATION $40 $0.00 $40
For more information, please visit here and get your parking ticket.

Picture of fake New York parking violation email with asprox malware link.

Subject: Parking Violation Notice

 Parking violation notice

City of Houston records indicate that a parking citation(s) issued to the vehicle described below has not been
paid. This fines and applicable penalties area past due and must be paid within the next ten calendar days. DMV
records show that you are/were the registered owner at the time this vehicle was cited. Therefore, you are
legally responsible for responding to this notice.
Ticket Number Violation Fine Payment Received AMOUNT DUE
8074741 PARKING IN "NO STOPPING-STANDING" ZONE $40 $0.00 $40
For more information, please visit here and get your parking ticket.

Various cities so far:

 City of Chicago 
City of Dallas
City of Houston
City of Los Angeles
City of New York
City of Philadelphia
City of Phoenix
City of San Antonio
City of San Diego
City of San Jose

Various violations so far:

 FIRE LANE VIOLATION 
HANDICAPPED SPACE VIOLATION
METER VIOLATION
OFF-STREET HEAD-IN METER VIOLATION <-- huh?
PARKING IN "NO STOPPING-STANDING" ZONE
PARKING TRACTOR-TRAILER COMBO
PROHIBITED PARKING

Headers:

Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Parking Violations Bureau" <support@ [ domain of compromised web server]>
Subject: Parking Violation Notice

Received: from vm5.digitalserver.org [184.107.173.90]
X-Envelope-From: rh @arspc.com.mx
From: Parking Violations Bureau <rh @arspc.com.mx>
Subject: Parking Violation Notice

Received: from srv36.turhost.com [94.199.206.36]
X-Envelope-From: afhmanager34 @srv36.turhost.com
Subject: Parking Violation Notice
From: "Parking Violations Bureau" <support @ajansfotografhane.com>

Malware:

The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

Some url examples:

southshorephilharmonic.org/defines.php?violation=3KKDJmadjO+LjKt+e2iWovYdeLI6UlDFEan/TPGF1Ps=
udominikana.com/help.php?violation=x1WRL7ALMWverkSmAegGh01U1pPpNs5D32LnUd6hHb0=
polymetrix.com/help.php?violation=ARYdACKqnTtU64h8/kOUzPOMQ50+r1gFz3ZIurURQvI=
pro-populus.eu/files/defines.php?violation=D53WWlN6Y/vcmEwda9Jiga0VtG9a51oqPE375l4bC2M=
maasrun.be/webtv/defines.php?violation=CtrmF12ZRLutxYUzQ7B1Azq1L8rUIFbW+fdROf+aPGA=
oneforeverfreedom.com/test.php?violation=Xf4Hk4eWgbd+kXgXDJeivaqR2tUZEZPQsoFzJFS5UAY=
iedereenatleet.be/files/help.php?violation=k+ZAMmcV8EDor1dFNnXS9YzI8KGCLRVk54LazIupS9E=
kdvfamilia.be/files/defines.php?violation=MQFF5TiZMDVg7MFFsWKM+AhqQb0wFLk6UNF0FN0xYXk=

The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. In my case, I got Parking_Ticket.zip containing Parking_Ticket.exe.

The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

VirusTotal report 

Malwarebytes 	Trojan.Email.FakeDoc
Norman Kuluoz.KR
Qihoo-360 Malware.QVM10.Gen
Rising PE:Malware.FakeDOC@CV!1.9C3C

Malwr.com report 

These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

Picture of trojan run from parking violation malware email.

This sample runs like a champ. Injects to svchost.exe, aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

109.123.107.32:8080
195.154.71.156:8080
199.233.237.154:8080
217.106.239.250:443
74.208.65.138:8080
81.177.22.146:443
85.159.145.159:8080

Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

If this was at least a little helpful, how about a +1, Like, or Tweet?


 City of New York records indicate that a parking citation(s) issued to the vehicle described below has not been paid. This fines and applicable penalties area past due and must be paid within the next ten calendar days. DMV records show that you are/were the registered owner at the time this vehicle was cited. Therefore, you are legally responsible for responding to this notice.