Holiday Aspxor Mimics Retailers

The holiday season invites not only the best deals for online shopping, but it also introduces additional opportunities for email phishing, online scams, and more. We all know that you should be cautious of what you click all year long, but it is especially important for consumers and enterprises alike to be vigilant this time of year as well.

The ThreatConnect Research Team uncovered details of a new email phishing campaign utilizing a variant of the Asprox malware, which has targeted what is estimated to be thousands of email addresses, and counting. This variant of the Asprox malware is known as “Aspxor” by the antivirus industry and is masquerading as order confirmations from large retail chains.

These trojans are being distributed via phishing emails sent from nodes in the botnet and a variety of PHP relays installed on compromised hosts, many of which are running vulnerable WordPress plugins. These PHP relays are used by the bots if outbound SMTP is blocked. There are currently five different phishing email variations in this campaign, with abused brands including Costco, Target, Walmart, Walgreens, and Home Depot. Emails targeting consumers often arrive with the subject line of “Order Info” or “Order Status”. (See below for examples of those emails).


Aspxor Relays

An example of an Asprox relay is hosted on the domain domnateneryfie[.]pl, which appears to be running a vulnerable version of the Tinymce WordPress plugin. The mailer program has been uploaded to the compromised site with the filename “.view.php” as seen in the following screen capture of the site.


(Note that directory listing is allowed on the site, which is not a recommended practice. This can be changed in Apache according to the documentation found here.)

Each email in this campaign contains a link that leads to the download of the trojan. The following screenshot shows an example of this link as displayed in ThreatConnect.


Each of the URLs contains a unique query string. Some of the URLs have up to five or six different unique query strings spread among the different phishing email variations. An example of this query string is “cpJfZVdxhs4MsYKdrwaXVvI1i7B5CTSRcysyLaOojC4=”. These strings may be used to identify the botnet affiliate that sent the spam for accounting and payment purposes.

The trojan uses a set of fake X-Mailer: fields that are included in the headers of outgoing phishing emails. Each of the following example phishing emails has a different fake X-Mailer: field in the header.


The above Costco phishing email contains the fake X-Mailer: field “HiveMail1.2.1”.


The above HomeDepot phishing email contains the fake X-Mailer: field “PHPMailer 5.2.6”.


The above Target phishing email contains the fake X-Mailer: field “UnityMail”.


The above Walgreens phishing email contains the fake X-Mailer: field “grasslandtromboneV8.75”.


The above Walmart phishing email contains the fake X-Mailer: field “Bjjniad(ver.74.9)”.


Once downloaded and run on the victim’s system, the trojan calls back to a set of C2 servers via HTTP on port 8080 as well as HTTPS on port 443. This second type of connection is SSL encrypted making it more difficult to detect and analyze. Each of the samples that were sandboxed from this campaign have Russian language PE resources, which indicates that the malware author may be in Russia or Ukraine.

Asprox Background

The Asprox family of malware dates back to 2007 and 2008 when it targeted vulnerable servers running Active Server Pages (ASP). These sites were compromised via an automated process using SQL injection. Post exploitation, a hidden iframe was inserted into the site’s code. This iframe would lead a visitor to a site hosting the trojan. According to a blog post by our friends at Recorded Future, an earlier variant of the botnet was using fast flux DNS changing to protect the command and control (C2) IP addresses from detection and takedown. The current variant no longer appears to use fast flux, and now uses static IP addresses to call back to its C2. This technique avoids using DNS entirely.



Consumers and enterprise security teams alike should be mindful of these sorts of seasonal threats, especially when we consider how the convergence and BYOD blurs the lines between personal and professional computing. Risks such as “Asprox” or “Aspxor” could be unintentionally introduced into any enterprise.

Retailers may also look to actively track and mitigate various phishing campaigns that abuse their brands and targets their customers. One way retailers are countering this sort of activity is through industry threat intelligence sharing. The ThreatConnect Retail Community was specifically established for vetted Retailers to actively exchange, analyze, and memorialize industry specific threat intelligence, enabling them to proactively counter threats targeting their industry.

A full set of indicators and context associated with these phishing campaigns as well as the respective Aspxor trojans and their C2 infrastructure have been shared within the ThreatConnect Common Community. This share also includes Snort rules for detecting this threat on network intrusion detection systems and other network security monitoring systems.

ThreatConnect Research Team
About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.