The holiday season invites not only the best deals for online shopping, but it also introduces additional opportunities for email phishing, online scams, and more. We all know that you should be cautious of what you click all year long, but it is especially important for consumers and enterprises alike to be vigilant this time of year as well.
The ThreatConnect Research Team uncovered details of a new email phishing campaign utilizing a variant of the Asprox malware, which has targeted what is estimated to be thousands of email addresses, and counting. This variant of the Asprox malware is known as “Aspxor” by the antivirus industry and is masquerading as order confirmations from large retail chains.
These trojans are being distributed via phishing emails sent from nodes in the botnet and a variety of PHP relays installed on compromised hosts, many of which are running vulnerable WordPress plugins. These PHP relays are used by the bots if outbound SMTP is blocked. There are currently five different phishing email variations in this campaign, with abused brands including Costco, Target, Walmart, Walgreens, and Home Depot. Emails targeting consumers often arrive with the subject line of “Order Info” or “Order Status”. (See below for examples of those emails).
An example of an Asprox relay is hosted on the domain domnateneryfie[.]pl, which appears to be running a vulnerable version of the Tinymce WordPress plugin. The mailer program has been uploaded to the compromised site with the filename “.view.php” as seen in the following screen capture of the site.
(Note that directory listing is allowed on the site, which is not a recommended practice. This can be changed in Apache according to the documentation found here.)
Each email in this campaign contains a link that leads to the download of the trojan. The following screenshot shows an example of this link as displayed in ThreatConnect.
Each of the URLs contains a unique query string. Some of the URLs have up to five or six different unique query strings spread among the different phishing email variations. An example of this query string is “cpJfZVdxhs4MsYKdrwaXVvI1i7B5CTSRcysyLaOojC4=”. These strings may be used to identify the botnet affiliate that sent the spam for accounting and payment purposes.
The trojan uses a set of fake X-Mailer: fields that are included in the headers of outgoing phishing emails. Each of the following example phishing emails has a different fake X-Mailer: field in the header.
The above Costco phishing email contains the fake X-Mailer: field “HiveMail1.2.1”.
The above HomeDepot phishing email contains the fake X-Mailer: field “PHPMailer 5.2.6”.
The above Target phishing email contains the fake X-Mailer: field “UnityMail”.
The above Walgreens phishing email contains the fake X-Mailer: field “grasslandtromboneV8.75”.
The above Walmart phishing email contains the fake X-Mailer: field “Bjjniad(ver.74.9)”.
Once downloaded and run on the victim’s system, the trojan calls back to a set of C2 servers via HTTP on port 8080 as well as HTTPS on port 443. This second type of connection is SSL encrypted making it more difficult to detect and analyze. Each of the samples that were sandboxed from this campaign have Russian language PE resources, which indicates that the malware author may be in Russia or Ukraine.
The Asprox family of malware dates back to 2007 and 2008 when it targeted vulnerable servers running Active Server Pages (ASP). These sites were compromised via an automated process using SQL injection. Post exploitation, a hidden iframe was inserted into the site’s code. This iframe would lead a visitor to a site hosting the trojan. According to a blog post by our friends at Recorded Future, an earlier variant of the botnet was using fast flux DNS changing to protect the command and control (C2) IP addresses from detection and takedown. The current variant no longer appears to use fast flux, and now uses static IP addresses to call back to its C2. This technique avoids using DNS entirely.
Consumers and enterprise security teams alike should be mindful of these sorts of seasonal threats, especially when we consider how the convergence and BYOD blurs the lines between personal and professional computing. Risks such as “Asprox” or “Aspxor” could be unintentionally introduced into any enterprise.
Retailers may also look to actively track and mitigate various phishing campaigns that abuse their brands and targets their customers. One way retailers are countering this sort of activity is through industry threat intelligence sharing. The ThreatConnect Retail Community was specifically established for vetted Retailers to actively exchange, analyze, and memorialize industry specific threat intelligence, enabling them to proactively counter threats targeting their industry.
A full set of indicators and context associated with these phishing campaigns as well as the respective Aspxor trojans and their C2 infrastructure have been shared within the ThreatConnect Common Community. This share also includes Snort rules for detecting this threat on network intrusion detection systems and other network security monitoring systems.
To get started with a FREE account on ThreatConnect and to join the private ThreatConnect retail community, please register for an account and contact us at firstname.lastname@example.org. You do not have to be a paid customer to join, we only require that you register with an organization email address for our Basic Organization Account. We also offer private cloud and on-premises versions of ThreatConnect, so your organization can have even more control over your data, and still participate in the private retail community.