ASProx malware threat targets holiday shoppers

Posted by Gary Warner on Wed, Dec 3, '14

Find me on:

Last holiday season the operators of the ASProx bot had a tremendously successful infection season as they found new ways to prey on our greatest fears.  We have long known that the keys to successful social engineering are Fear and Greed.  When presented with compelling stimuli in the Fear and Greed category, criminals can count on a significant number of their potential victims temporarily suspending their InfoSec Awareness Training and clicking the link.  In December 2013, spammers used #ASProx to deliver fear in the form of a Failed Delivery email from CostCo, BestBuy, or WalMart.  Malcovery analysts identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been "known good" until the morning of the attack.  In addition to bypassing reputation systems in that way, criminals know they can bypass DMARC by using a FROM domain that is not at the vendor.

Malware for Christmas

This year we are seeing all of the same tricks in play as #ASProx expands its imitated brands repertoire and tones back the fear message ever so slightly.  In a message crafted in such a way that either Greed or Fear could be in play, the spammers now use text similar to this:

"We are happy to inform you that our online store has an order whose recipient details match yours.  The order could be received in any Local Store of within the period of 5 days.  Open this LINK to see full information about your order."


Because Malcovery has a unique Spam Data Mine that allows our analysts to quickly identify and link malicious email campaigns, we were able to demonstrate that this spam message is the newest look and feel of the long-running ASProx botnet that has most famously spent the year delivering EZ-Pass Malware and Court Notice malware.  We were also able to identify that the same ASProx botnet was currently spamming emails imitating HomeDepot, WalMart, CostCo, and Target!


In this WalMart spam message sample, the text is nearly identical, but note that the destination website,, is different than the website used in the Home Depot message.  The December 1st version of this spam was delivered using a mix of deceptive subject lines and Sende Names.  Subjects included:

  • Subject: Thank you for your order
  • Subject: Order Confirmation
  • Subject: Thank you for buying from Best Buy
  • Subject: Acknowledgment of Order
  • Subject: Order Status

 But these were freely mixed with Sender Names from any brand.  The forged email addresses were from dozens of imitated dozens, but the Sender Names, which on many mobile devices especially, are the only address information shown to the email recipient, were chosen from the list Best Buy, CostCo,,, or Walmart, which seemed to be freely mixed.  As an example, in this email a CostCo email claims to be from WalMart (although the Sender address is actually "".


and in this email, the Sender Name is given as CostCo:


While we encourage you to share this warning with your friends so they will not become infected with malware, Malcovery customers were immediately warned of the Indicators of Compromise revealed by this malware campaign.  There were actually two version of malware being spread in this campaign.  One version used an email attachment, while the more prominent version was distributed via links to malicious websites that had been compromised for the purpose of malware distribution.  The two versions had entirely non-intersecting Command & Control infrastructure as noted in this list:

ASProx.IOCs.MalcoveryThe list on the left actually reflects an older version of the malware.  Visitors to the Malcovery ThreatHQ portal would be search or click on any of those IP addresses to realize that this same group of C&C addresses was used to control the Court Notice malware that was distributed heavily on November 26, 2014.  For those who have automated the process, the November 26 indicators would have been immediately imported into your SIEM, Webfilter, or Firewall environment to provide blocking and alerting if one of your employees attempted to access these sites.  The November 26th protections would have still protected against the December 1st/2nd malware.  Which is a very good thing, since even now more than half of the AV products on VirusTotal still do not detect the dropped malware from 48 hours ago!

We expect to see this campaign continue to evolve.  The December 1st spam templates have morphed slightly so that on December 2nd we are now seeing CostCo, Krogers, Walgreens, and WalMart as the brands being imitated.  (Really?  Who does their Christmas shopping at Krogers?)  Fortunately all of the IOCs for the December 1 malware are still active on December 2nd version.




View Webinar Now