August 28, 2014 • Nick Espinoza
Asprox is the malware used in a long campaign of phishing and drive-by downloads that has recently taken on APT-like evasion techniques, garnering the full attention of FireEye analysts. While the TTPs utilized are not novel – how Asprox’s authors aptly evolved the common TTPs over the past six years to become highly efficient, evasive, and technical is unique.
As early as 2007, Asprox and its variants (Dapato and Dofoil, amongst others) have been in the wild expanding their access to a wealth of victims, in ways both uncomplicated and strikingly complex. Asprox exploits uncomplicated vulnerabilities by using SQL injections to enable drive-by downloads, or spear-phishing campaigns which convince a user to investigate a seemingly trustworthy URL or document in an email.
Post infection, the malware victim’s computer is utilized in a botnet for harvesting login credentials, enabling DDoS attacks, driving fake advertising traffic, and conducting SQL injections on unsecured sites.
An overview of the history of Asprox results in an interesting narrative. As seen in the timeline, Asprox began its campaign with relatively low activity, a multi-year lull, then a near exponential surge of references. The campaign from 2007 to today can be broken into four distinct phases.
Phase 1: Initial Deployment
(Event 1) Asprox was first reported in the summer of 2008. Asprox was unremarkable, with the author noting, “The attack toolkit being used (which is aliased as ‘Asprox’) has been around for few years.” In 2008, it was only notable then due to targeting a few thousand high-traffic “Governmental, health care, and top business websites” with SQL injections on their unsanitized fields.
Phase 2: Operating in Safe Havens
(Events 2 and 3) McColo, a US-based ISP was shutdown for hosting domains associated with C&C servers for spam botnets – including Asprox. The operators of Asprox soon adapted, buying domains in countries like Estonia or Russia. There, ISP operators are unlikely to respond to requests for the suspension of of illegal domains. Asprox and many other forms of malware proliferated at ISPs in both countries.
Phase 3: Diversifying Phishing Techniques
(Event 4) Since 2007, Asprox was primarily using English in its spear-phishing campaigns. In March 2013, the malware began to target a greater audience by diversifying the languages it crafted its luring messages in. The malware’s spam emails expanded into German and Spanish messages.
(Event 5) One month later, Asprox had improved its spear-phishing techniques. Previously, it had utilized emails imitating shipping companies and court notifications. However, here the malware is leveraging current breaking news headlines to entice users into clicking links that would compromise their machine.
Phase 4: Persistence in Threat Landscape
(Event 6) Active spam and malware campaigns conducted in 2013 were utilizing many of the malicious scripts from early 2010 Asprox campaigns, while researchers also discovered new code in the wild. This activity can be explained by two scenarios:
(Event 7) In 2014, the actors behind Asprox malware have become adept at reviewing the detection methods of security researchers. With each new iteration of their malware, they obfuscate their malware by continually changing “hardcoded strings, remote access commands, and encryption keys” thus taking on some of the characteristics of APT style adversaries.
Through the redirection of web traffic to domains serving malware, Asprox enables the download of a malware dropper known as KULUOZ. At this point, the malware proliferates exponentially as visitors to an infected site will download Asprox and its malware dropper KULUOZ.
In addition to the SQL injection technique, Asprox also seeks to compromise a victim through spear phishing. In its early phases, Asprox used fairly common techniques, such as emails from a shipment company, Amazon, court ordered notices, etc. However in 2013, the spear phishing techniques became extremely complex – utilizing timely breaking news headlines (e.g. South Korean Ferry Sinks), including IP geocoded attachments with titles relevant to your area (e.g. Washington, D.C. Court Order), and creating messages in multiple languages – all with the purpose of increasing the rate of infection.
After a machine is infected, Asprox will connect with a C&C server from an encrypted list of IP addresses using an SSL connection and RC4 encryption. As soon as an infected machine connects, it can receive an updated list of C&C servers, as the IP addresses of servers acting as a proxy between a victim and the server often change as a method of avoiding detection – outpacing information security efforts to blacklist IPs associated with the malware.
At this point, the C&C server can issue a range of commands: update existing files, update IP address lists, etc. The most valuable aspect of Asprox is the ability download new files. Trend Micro notes there are four common functional modules: sb*.dll.crp (spam), smtpWorker.dll.crp (spam), php.dll.crp (website scanner for SQL vulnerabilities), and asdsdsd.crp (credential harvester).
To identify Asprox, enumerating the known filenames, MD5 hashes, and unique malware signatures from many malware analysis platforms such as Symantec, Sophos, Ikraus and Kaspersky Lab can prove useful.
Using Recorded Future, about 250 unique filenames can be reviewed. Dumping these filenames into a CSV, a brief analysis yields expected results.
Asprox seems to either randomize (e.g. smeeqnbn.exe) filenames and extensions (e.g. sirafaraki5yni.docx) or tailor filenames (e.g. wireshark.exe, court_notice_jones_day_washington.exe, copy_of_ups_label.exe). This list of 250 filenames can be added to an email attachment blocklist.
Similarly, Recorded Future returned about 100 unique and current MD5s that can be added to an existing AV scanner for improving the detection of Asprox. Given its ability to change attachment names and lure users with convincing links, this technique can improve security efforts.
Since Asprox uses fast-flux domain changing (rapid DNS changes to mask what IPs are associated with a malware and ultimately the C&C server), using IPs pinged by the malware to identify the presence of Asprox is a fruitless effort.
When viewing the network overview of KULUOZ, a few closely networked entities are new.
Most notably, there is one piece of malware, Conficker. This malware ultimately infected about 12 million hosts, propagating via share drives and thumb drives. Conficker briefly shared C&C servers with Asprox, indicating some sort of coordination by two malicious actors or a deviation from the normal TTPs utilized by the malicious actors behind the Asprox campaign.
Asprox’s evolution from 2007 to today shows a highly adaptive malicious actor is behind its development. From their humble beginnings, recycling old attack vectors and TTPs, to today, when they are using multiple languages, adaptive messaging, and mimicking advanced obfuscation techniques, Asprox is a serious threat. The botnet assembled by the malicious actors fortunately seems to mostly be interested in monetizing their platform – normally distributing spam messages, installing ransomware, building the botnet further – but their rapid development cycle, occasional use of credential harvesting tools, and their ability to install any executables, is a cause for concern.