Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

USPS Spam Delivering Asprox Variant

May 29, 2014 - 2 min read
UPDATE: The botnet which is described here is called 'Asprox'. I've compared research with that seen from StopMalvertising.

Recent email spam has begun taking advantage of user's need to snail mail something.  The attacker will forward a message supposedly from USPS in order to get victim's to click on a link purported to be a shipping receipt, which actually leads to a malicious file.  If the user is unfortunate enough to click the link in the spam mail, a zip file containing a variant of Asprox is downloaded.
At the time of research, the VT score was 4/53 
Once the file makes it way onto the desktop, it feigns a document icon in order to trick the user into thinking it is safe to view.  This is actually the malicious executable which scored 4/53 on initial VirusTotal scans.
Never trust an icon!  Check the 'Right Click > Properties' to see the true extension
The file itself creates local copies of itself in the logged-in User's Local Application Data and creates an autostarter to ensure that the victim stays infected after restarting their compromised PC.
The threat installs a randomly generated Autostarter value
ThreatLabZ has monitored this infection for a few days and observed several other download locations that kick off this threat.
All links download a similar package. 
The common factor across all of these dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP as reported by StopMalvertising.  We're seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080.
Communication is sent over port 8080 or 443
ThreatLabZ collected numerous IPs which were seen to communicate with malicious variants mentioned above.
IPs which communicated with Malicious samples.
Users and Administrators should be cautious of all traffic regardless of the ports it communicates on.  Attackers are leveraging nonstandard HTTP ports in order to bypass some security solutions.
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.