Malware Research

In my previous 2 blogs( I and II), Pushdo/Cutwail gang already added 10 Cutwail servers. You might be interested in what spam they are sending now.

Following(from my Pushdo/Cutwail Botnet Tracker)  is the spam template which cutwail bot retrieved from the new Cutwail C&C servers.

You may be too familiar with “DHL” spam. Of course, the template contains a zipped malicious file.

The inner file(Postal_Label_NR4147c.exe) is the Sasfis. Yet again, Cutwail spread Sasfis.

There are 4 interesting findings:

1. Asprox spam botnet is also spreading Sasfis now. But, 2 different version of Sasfis. More specific, the Sasfis C&C server domain name is different.

2. Sasfis main payload binary moved from exe to dll.

3. This verion Sasfis’s custom packer seems buggy. After it re-write the image code, it should trigger SEH to enter the load DLL(main function of Sasfis) routine. But it doesn’t.

4. Even above 3, 2 version of Sasfis will both download 3 different other malwares.

There are 2 main spreading records in my tracker(above).

23rd Aug – Asprox spam Botnet spreading Sasfis.

1st Sep – Cutwail spam Botnet spreading Sasfis.

There are 2 interesting findings:

1. up.exe is the Asprox binary. Sasfis spread the same Asprox binary.

2. Sasfis is trying to double(Cutwail & Asprox spam botnet) its power to spread 2 other malicious binaries(kapusta.exe and mario.exe)

Other 2 binaries info:

Mario.exe - FakeAV downloader

C&C server – s.statst.in

FakeAV host – dlhosts.in(setupbinarymodule710.exe)

kapusta.exe – Hiloti

it will download more than 1 malicious file.

-Kyle Yang