In an ironic turn of events, an email spam campaign is targeting those who send letters the old-fashioned way, through rain, sleet, snow and gloom of night, via the US Postal Service.
Zscaler has published an analysis of a botnet named Asprox, which forwards messages that are supposedly from USPS in order to get victims to click on a link. The link purports to be a shipping receipt, but is of course in reality a malicious .zip file, containing a variant of the malware.
The file installs itself on the desktop and disguises itself as a Word document. If clicked, the extracted file creates local copies of itself in the logged-in user's local application data and creates an autostarter to ensure that the victim stays infected after restarting their compromised PC.
Zscaler researcher Chris Mannon noted in the analysis that the company’s ThreatLabZ is seeing a plethora of download locations that kick off the threat. But, it’s clear that the same author is behind it all:
“All links download a similar package—the common factor across all of these dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP,” he explained. “We're seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080.”
Asprox has been around for a while – since 2008. StopMalvertising did an analysis of the bug late last year which found that in its early days, Asprox was used as a password stealer. It was then upgraded to send out spam, and became responsible for a significant portion of unsolicited mail. It has been known to use fast-flux technologies and automated SQL injections, and is also able to download and install additional payloads for which the botnet operator gets paid (pay-per-install or PPI). Asprox is notorious for spoofing shipping notices, including using FedEX, DHL and UPS, and more recently has been using wedding or voicemail templates.
Users should as always be very careful when clicking on any email link. And, if a file is downloaded, “never trust an icon!” Mannon noted. “Check the 'right click > properties' [function] to see the true extension.”