2014-09-09 - MALWARE INFECTION FROM ASPROX BOTNET EMAILS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-09-09-malware-from-Asprox-botnet-emails.zip
• 2014-09-09-Asprox-botnet-email-tracker.csv.zip
• 2014-09-09-infection-traffic-by-malware-from-Asprox-botnet-emails-4-pcaps.zip

 

NOTES:

• Yet another group of emails seen from the Asprox botnet--this wave spoofing Delta Airlines.

 

EXAMPLES OF THE EMAILS

SCREENSHOT - EXAMPLE 1:

 

SCREENSHOT - EXAMPLE 2:

 

SCREENSHOT - EXAMPLE 3:

 

MESSAGE TEXT - EXAMPLE 1:

From: Delta Air <help@startcomputerrepair[.]com>
Sent: Monday, September 08, 2014 15:59 UTC
To:
Subject: The order #00354911 is ready

Dear Customer,

ELECTRONIC TICKET NUMBER / ET-02442799
SEAT / 72F/ZONE 3
DATE / TIME 7 OCTOBER, 2014, 12:15 PM
ARRIVING / Stockton
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 272.19 USD
REF / EK.0183 ST / OK
BAG / 7PC

Please find your ticket attached.
You can print your ticket.

Thank you for your attention.
Delta Air Lines.

Attachment: ET-68435506.zip (108.6 KB)

 

MESSAGE TEXT - EXAMPLE 2:

From: Delta Air Lines <support@cavestclair[.]com>
Date: Tuesday, September 9, 2014 at 18:26 UTC
To:
Subject: Your order # ID16-00637196 has been completed

Dear Client,

TICKET / ET-10864422
SEAT / 63F/ZONE 1
DATE / TIME 7 OCTOBER, 2014, 12:25 AM
ARRIVING / Philadelphia
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 281.38 USD
REF / EK.0807 ST / OK
BAG / 2PC
Your ticket is attached.
To use your ticket you should print it.

Thank you for your attention.
Delta Air Lines.

Attachment: ET-11336156.zip (101.5 KB)

 

MESSAGE TEXT - EXAMPLE 3:

From: Delta Air Lines <custservice@sydneystair[.]com>
Date: Tuesday, September 9, 2014 at 19:57 UTC
To:
Subject: Your order # NR17-00043949 has been completed

Dear Customer,

ELECTRONIC TICKET / ET-22307486
SEAT / 64A/ZONE 1
DATE / TIME 1 OCTOBER, 2014, 12:55 AM
ARRIVING / Newport News
FORM OF PAYMENT / XXXXXX
TOTAL PRICE / 278.39 USD
REF / LE.9116 ST / OK
BAG / 1PC

Your electronic ticket is attached to the letter as a scan document.
You can print your ticket.

Thank you for your attention.
Delta Air Lines.

Attachment: ET-81809167.zip (111.8 KB)

 

MALWARE EXAMPLES

• Attachment:  ET-11336156.zip - MD5 hash: be6efead7e792b81da98b2b85e5a9ec8
• VirusTotal link:  https://www.virustotal.com/en/file/0023857e59a93cee87c8ae546350b9e2add29ace1861e19b52263932a67bc9c9/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: 6b20036e7b3ae7a24231ff351a9251e1
• VirusTotal link:  https://www.virustotal.com/en/file/51908171d119f4567453762a05f39208ddf58f8c50c3f5ee2fcac97690a3c19b/analysis/

• Attachment:  ET-45048581.zip - MD5 hash: 3cf5bf0dc201ecdb9ac7e4eaa8af1205
• VirusTotal link:  https://www.virustotal.com/en/file/1327a3b479c13235bf67797b66aa2057ee81b0763399b267bd8b6d17493968f4/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: f8825c98266e7549515f7479acc4cb04
• VirusTotal link:  https://www.virustotal.com/en/file/deeb5035d805c316851fafedf03c5348bc3103c876324309cf550153aa57bb87/analysis/

• Attachment:  ET-68435506.zip - MD5 hash: afaf0d8a55e65f258e11c06d5dc74855
• VirusTotal link:  https://www.virustotal.com/en/file/851dcd10ea30554e286ea6c92937e1f660594c46d7853b681441d11a0f77197d/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: dafee9aa102b64a21c15af6208537dc0
• VirusTotal link:  https://www.virustotal.com/en/file/b14c2bfed6fb6360b551dadcf2ff4b0fae0a5e9e79fad62a3b2f53f17e4f7964/analysis/

• MAttachment:  ET-81809167.zip - MD5 hash: dae07211557843bdeb9b11a458ffa54b
• VirusTotal link:  https://www.virustotal.com/en/file/3474e2c468b86296ba097d16e18c8ec2814f4ed9ddf25aece715983dded94423/analysis/
• Extracted file:  DeltaTicket.exe - MD5 hash: 4845a080eae462ccb2f3a3eb014d073f
• VirusTotal link:  https://www.virustotal.com/en/file/f518944045efe237613808760dd6e4e34de69b82927854c33fba405a300269fe/analysis/

 

TRAFFIC AND SNORT EVENTS

LIVE TRAFFIC - 4845A080EAE462CCB2F3A3EB014D073F:

• 178.33.160[.]87:80 - POST /index.php
• 178.33.160[.]87:80 - POST /index.php
• 202.185.27[.]50:8080 - POST /index.php
• 178.33.160[.]87:80 - POST /index.php
• 222.124.166[.]12:443 - POST /index.php
• [internal host]:53 - several DNS queries for: openisp.su
• [internal host]:53 - several DNS queries for: cellgone.su

SNORT EVENTS:

• 178.33.160[.]87:80 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 178.33.160[.]87:80 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (sid:2018359)
• 222.124.166[.]12:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 222.124.166[.]12:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)
• [internal host]:53 - ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related (sid:2014169)

• [internal host]:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x15)

 

LIVE TRAFFIC - 6B20036E7B3AE7A24231FF351A9251E1:

• 202.185.27[.]50:8080 - POST /index.php
• 222.124.166[.]12:443 - POST /index.php
• 222.124.166[.]12:443 - POST /index.php
• [internal host]:53 - several DNS queries for: openisp.su
• [internal host]:53 - several DNS queries for: cellgone.su

SNORT EVENTS:

• 202.185.27[.]50:8080 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 202.185.27[.]50:8080 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (sid:2018359)
• 222.124.166[.]12:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 222.124.166[.]12:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)
• [internal host]:53 - ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related (sid:2014169)

• [internal host]:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x28)

 

SANDBOX TRAFFIC - DAFEE9AA102B64A21C15AF6208537DC0:

• 82.116.211[.]16:443 - POST /index.php
• 202.75.53[.]48:8080 - POST /index.php
• 209.170.120[.]163:8080 - POST /index.php
• 82.116.211[.]16:443 - POST /index.php
• 202.185.27[.]50:8080 - POST /index.php
• 222.124.166[.]12:443 - POST /index.php
• 209.170.120[.]163:8080 - POST /index.php

ALERTSS:

• 82.116.211[.]16:443 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 82.116.211[.]16:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 82.116.211[.]16:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)

 

LIVE TRAFFIC - F8825C98266E7549515F7479ACC4CB04:

• 217.106.238[.]145:443 - POST /index.php
• 217.106.238[.]145:443 - POST /index.php
• 217.106.238[.]145:443 - POST /index.php
• 217.106.238[.]145:443 - POST /index.php
• 93.158.134[.]89:25 - SMTP attempt, but RST by server
• 80.83.123[.]131:8080 - POST /cb/board.pl
• [various IP addresses]:25 - example of the many emails sent (IP address and other info changed or masked in this pcap)
• [internal host]:53 - several DNS queries for: openisp.su
• [internal host]:53 - several DNS queries for: cellgone.su

ALERTS:

• 217.106.23[.]145:443 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
• 217.106.238[.]145:443 - ET POLICY HTTP traffic on port 443 (POST) (sid:2013926)
• 222.124.166[.]12:443 - ET POLICY HTTP POST on unusual Port Possibly Hostile (sid:2006409)
• [internal host]:53 - ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related (sid:2014169)
• [various IP addresses]:25 - ETPRO SMTP Exim string_format Remote Code Execution (sid:2800979)
• [various IP addresses]:25 - ET INFO SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound) (sid:2017884)

• [internal host]:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x43)
• [various IP addresses]:25 - [129:12:1] Consecutive TCP small segments exceeding threshold (x9)
• [various IP addresses] - [139:1:1] (spp_sdf) SDF Combination Alert

 

Click here to return to the main page.