Security researchers have warned that high volume email attackers are now using the same stealthy techniques pioneered by APT attackers to bypass traditional defenses, in what could be a worrying development for the information security industry.
FireEye Labs has been tracking since late last year the Asprox botnet campaign – which uses Kuluoz malware to infect machines and exfiltrate sensitive data from a range of targets.
However, despite sending out up to 10,000 emails each day during an outbreak, the group behind the campaign has been observed constantly tweaking the malware and delivery techniques to evade traditional AV, IPS, firewalls and file-based sandboxes.
The group has changed the malware’s “hardcoded strings, remote access commands, and encryption keys” and it also switched from sending a malicious URL to a malicious attachment in its phishing emails.
The content of these phishing emails has also been altered to improve the infection rate.
“Some of the recurring campaigns that Asporox used includes themes focused around airline tickets, postal services and license keys. In recent months however, the court notice and court request-themed emails appear to be the most successful phishing scheme theme for the campaign,” wrote FireEye.
“The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals. And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware.”
CPG, energy and government organizations comprised the most frequently targeted victims, although Asprox has been aimed at a wide variety of firms in countries across the globe, according to FireEye.
The group behind Asprox is also believed to monitor closely any reports from the security industry on their malware techniques, enabling it to tweak the attack accordingly to evade detection.
With each major email burst bringing a change of attributes, there are fears that other mass mailer attackers will adopt similar tactics to increase the success of campaigns.