Security researchers tracking the Asprox botnet campaign have concluded that the attackers behind the operation are not only constantly changing their methods of luring victims, but also the technical details of the malware employed on regular monthly intervals, making the malicious code ever more difficult for traditional security methods to detect.
“While malicious email campaigns are nothing new, this one is significant in that we are observing mass-targeting attackers adopting the malware evasion methods pioneered by the stealthier APT attackers,” the researchers said.
The team has been tracking a campaign that began in 2013, and have noticed a series of spikes in the number of malicious emails being sent out, with as many as ten thousand malicious emails being delivered daily and between 50 and 500,000 per outbreak, with the malware attributes being adjusted in an effort to continuously evade detection.
“These changes have made it difficult for anti-virus, IPS, firewalls and file-based sandboxes to keep up with the malware and effectively protect endpoints from infection,” the researchers stated. “Worse, if past is prologue, we can expect other malicious, mass-targeting email operators to adopt this approach to bypass traditional defenses.”
The researchers have noted a deliberate pattern of changes being made to the Kuluoz malware which is employed in the spam campaigns, including changes to its hardcoded strings, to its remote access commands, and its encryption keys – these changes correlated to a series of spikes in the number of malicious emails detected.
“By the end of May, we observed a big spike on the unique binaries associated with this malicious activity. Compared to the previous days where malware authors used just 10-40 unique MD5s or less per day, we saw about 6400 unique MD5s sent out on May 29th,” the team explained.
“That is a 16,000% increase in unique MD5s over the usual malicious email campaign we’d observed. Compared to other recent email campaigns, Asprox uses a volume of unique samples for its campaign.”
The phishing campaigns appear to be concentrated on targets in North America, with the majority of organizations threatened belonging to the energy sector, followed by retail and government, and the emails can contain either a malicious link or tainted email attachment.
“Once the victim executes the malicious payload, it begins to start an svchost.exe process and then injects its code into the newly created process. Once loaded into memory, the injected code is then unpacked as a DLL,” the researchers siad.
“The malware uses various encryption techniques to communicate with the command and control (C2) nodes. The communication uses an RSA (i.e. PROV_RSA_FULL) encrypted SSL session using the Microsoft Base Cryptographic Provider while the payloads themselves are RC4 encrypted.”
Read More Here…