Malware of the Day – Asprox

What is Malware of the Day?

 

Lab Setup

Malware: Asprox

AKA: Asprox Botnet, ASProx, Badsrc, Aseljo

Traffic Type: Crimeware

Connection Type: Reverse HTTP

C2 Platform: Cobalt Strike

Origin of Sample: https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/asprox.profile

Host Payload Delivery Method: Powershell one-liner

Target Host/Victim: 192.168.99.54 – Windows 10 x64

C2 Server: 159.65.220.246

Beacon Timing: 30s

Jitter: 20%

 

Brief

Our focus is on identifying and detecting network beaconing behavior. We are using AI-Hunter/RITA as our network threat and C2/beacon detection platform to visualize the network traffic generated from running the Asprox botnet malware replication. We encourage you to download and use the PCAP files included in the next section to analyze them independently using your preferred threat hunt platform to test your detection capabilities.

This week we are looking at Asprox, a botnet malware that initially emerged in 2007 and is largely considered inactive since 2015, however the methods and communication forms used by the Asprox botnet malware continue to be common methods observed in many different strains and adaptations of malware today.

 

The above screenshot is taken of the AI-Hunter Beacons module from a 24-hour traffic capture. The Asprox botnet traffic has been detected as a very strong beacon signal of 93.50%.

In the green highlighted box is the beacon timing showing the number of connections of each interval of time in seconds. Here we can see the majority of the connection timing distributions are between 24 and 30 second intervals. We have multiple strong signals that spread out across this range.

Viewing the connections timing in a graph like this we can observe the jitter that has been introduced into the timing of a deviation of 20% from 30 seconds. This amount of jitter will most likely spoof most beacon detection tools that are looking for very rigid timing patterns. Note we have some outliers at 9-10 seconds, however, these consistent clusters of connection timings are evidence of programmed machine communications and our threat hunt platform has picked this up.

In the red highlighted box above are the number of connections per hour (each blue block is a one-hour time frame). The consistency of the number of connections per hour is a tell-tale indicator of non-human behavior. Notice the flatness and uniformity of the hourly histogram. Normal users’ traffic will be much more random in nature and would display greater peaks and valleys in the graph over time.

 

Switching to the connections data size view (shown in the green highlighted box above), we can immediately see the majority of communications are the same data size. For this sample, we have a total of 10140 connections. 9051 of them with 733 byte payloads. This is obviously uniform and structured communications and is a solid representation of a potential C2 channel “heartbeat” of checking in for marching orders or to maintain persistence.

Normal users’ network communications will vary greatly in data size. The data size analysis is confirming these are programmed communications to be investigated.

 

A similar beacon analysis can be performed using our open-source framework for network traffic analysis, RITA (Real Intelligence Threat Analytics). RITA detected the Asprox sample traffic as a very strong threat, giving it a score of 0.935 (93.5% beacon/threat score). The network RITA is analyzing here is a malware lab and the Asprox sample is definitely a threat to be investigated.

 

Capture Files

Because… PCAPs, or it didn’t happen. 😊

The AI-Hunter and RITA results above are a 24-hour observation and analysis from Zeek logs running in a lab 24/7. The following PCAP files are packet captures taken from the same lab environment over a one-hour time frame and a 24-hour time frame. The files were generated using Wireshark from the target host and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The PCAPs are safe, standard PCAP files and do not include any actual malware.

Asprox 1 Hour Capture
asprox_1hr.pcap (served by Dropbox)
Size: 1.78 MB
MD5 Checksum: 28cbec8b293e6d30d36420da9589ccf3

Asprox 24 Hour Capture
asprox_24hr.pcap (served by Dropbox)
Size: 48.35 MB
MD5 Checksum: 47358bc8104babdf283f6b04c2d1a5fc

 

Discussion

Want to talk about this or anything else concerning threat hunting? Want to share how good (or not so good) other detection tools were able to detect this Asprox botnet sample?

You are welcome to join our Discord server titled “Threat Hunter Community” to discuss topics surrounding threat hunting. We invite you to join our server here.

 

Additional Resources

https://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/

https://www.theregister.com/2009/02/03/conficker_arbor_analysis/

https://www.zdnet.com/article/adobes-serious-magic-site-sql-injected-by-asprox-botnet/

 

Until the next!