If you drive in a city with toll roads, you are familiar with the E-Z Pass System. If you are, you may have been tempted to click on an email that looked like this: ![]()
A quick search in the Malcovery Security Spam Data Mine revealed these related emails:![]()
When we run this malware, it attempts to make contact with the following C&C locations:
But the destination websites are certainly not on E-Z Pass's domains!
date | subject | sender_name
------------+---------------------------------------+---------------------------------
2014-07-08 | In arrears for driving on toll road | E-ZPass Collection Agency
2014-07-08 | In arrears for driving on toll road | E-ZPass Info
2014-07-08 | In arrears for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | In arrears for driving on toll road | E-ZPass Info
2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebted for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Info
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Pay for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
When we visit one of the URLs, we are prompted to download a .zip file, containing a .exe file.
machine | path
---------------------------+-------------------------------------------------------------------
www.federalparts.com.ar | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
www.fiestasnightclub.com | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
www.fleavalley.com | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
www.frazeryorke.com | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
www.fsp-ugthuelva.org | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
www.fyaudit.eu | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
www.giedrowicz.pl | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
www.gostudy.ca | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
www.graphiktec.com | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
www.h2oasisinc.com | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
www.habicher.eu | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
www.grupoancon.com | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
www.happymaree.com.au | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
www.headspokerfest.com | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
www.headspokerfest.com | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll
Both are conveniently named for the City and ZIP Code from which we are connected.
For example:
At Malcovery Security, we've been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnet for some time. This is the same botnet that sent the Holiday Delivery Failure spam imitating Walmart, CostCo, and BestBuy over the holidays and that send the Court Related Malware through the early months of 2014.
76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080
Whatever it wants to do next, it must do very quietly. Perhaps I'm in the wrong ZIP code for the next steps?