14 DAY TRIAL // A new malicious campaign aiming to replenish the bots in the Asprox botnet has been initiated, tricking users into believing that they have been delivered a notification email for a missed message from the Viber service.
The email lures the victim with a “missed call” subject line, while the body contains a link that claims to offer the recorded audio message and the date and time when the alleged contact has been attempted; in reality, the URL points to a compromised web server.
Operators have a professional approach
The cybercriminals behind this campaign are not regular crooks, as they take several precautions to hide the malicious activity. They verify the user agent to make sure that the visitor runs Internet Explorer; the IP address is also verified and multiple tries are blocked, since this is generally the behavior of malware researchers.
According to Tech Help List, further protective measures are in place, as “the EXE can have a unique hash every single 3 minutes, every 6 minutes, a couple times a day, or sometimes the same EXE will be used all day long.”
However, if all the conditions are met, the Trojan is downloaded and, when launched, it automatically subscribes the visitor to the Asprox botnet. The analysis from Tech Help List says that five to ten IP addresses are available in the malware, for establishing contact with the operators and receiving instructions.
The botnet can be leveraged for different nefarious activities
Asprox was initially employed to deliver massive amounts of spam, but it can also be leveraged to scan websites for vulnerabilities, steal credentials, and click-fraud for pay-per-click online advertising.
The botnet has been around since 2008 and its size varies as enslaved computers are cleaned up. From time to time, it needs to regenerate in order to reach a sizable number of systems that can be controlled for different nefarious purposes.
In Asprox’s activity observed by Microsoft, the botnet delivered a version of the Upatre downloader to users.
One of the recent campaigns documented by security researchers refers to email phishing sent out in June, claiming to be urgent court notices from Green Winick lawyers. This too was part of increasing the number of compromised machines.
Back in June, researchers from FireEye discovered that Asprox could be leveraged to spew as many as 10,000 spam emails on a daily basis. During an outbreak that usually lasts several days, the company has observed that even 500,000 malicious messages could be delivered to unsuspecting customers.
Generally, the Asprox operators use previously compromised web servers to deliver their malware, making detection a lot more difficult.