Crooks use geo-coded files to make messages look legitimate

Jul 14, 2014 15:43 GMT  ·  By

Under the pretense of an urgent court notice from Green Winick lawyers delivered via email, a group of cybercriminals attempt to deceive victims into accessing compromised locations spewing malware designed to add their computers to the ASProx botnet.

ASProx botnet, also known under the name of Kulouz, has been around since 2008 and has the features of a botnet-for-hire, which can be employed for various purposes by the attackers, from spreading phishing to stealing sensitive information from the infected machines.

The botnet is well known in the security industry, and FireEye researchers found in June that it could be used to send a large number of emails, from a few hundred to ten thousands, in a single day. They also observed that an outbreak, which extends over multiple days, would generally spew between 50,000 and 500,000 malicious messages.

According to Gary Warner from Malcovery Security, the latest ASProx campaign involves messages purporting to be court notices sent by a law firm. The subject varies from notifying of a hearing to request for appearance, but they all contain a link to a malicious online location.

The security researcher says that in a period of three days as many as 88 compromised addresses were used in the spam campaign. However, “it is likely there are many more,” he says in a blog post.

The websites are not necessarily set up by the cybercriminals, as most of them appear to belong to legitimate businesses; they may have been compromised through SQL injection techniques, which is specific to this group of attackers.

It appears that placing a web link in the body of the message ensures a higher rate of success than delivering the malware as an attachment, especially when the URL is unique for each recipient.

“That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content,” writes Warner.

When the potential victim lands on the infected page, a geographically-coded archive is downloaded; inside the compressed item there is a malicious executable file. A geo-coded file contains in the name the ZIP code for the area where the potential victim resides, which makes the attack more efficient.

The executable looks like a Microsoft Word document and the detection rate on VirusTotal seems to be quite low, only seven antivirus engines being able to identify it as malicious.