Notice to exit the premises - Asprox Malware

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake Eviction Letter or Eviction notice  claims that your tenancy of the premises is terminated and you may be held criminally liable or forcibly removed.

Attached zip file contains an exe virus or trojan horse.

Spoofs some law firm domain like davispolk.com, perkinscoie.com, littler.com, kirkland.com, mayerbrown.com, wilmerhale.com, mofo.com, nortonrosefulbright.com, or a fake law firm in the email headers.

Keep in mind that Perkins Coie / Davis Polk & Wardwell /  Littler Mendelson / Kirkland & Ellis / Mayer Brown / Wilmer Cutler Pickering Hale and Dorr / Morrison & Foerster / Norton Rose Fulbright are real law firms and these emails are not from them.

This is an Asprox botnet email spreading Kuluoz / Dofoil malware.

Later versions claimed to be from property management companies or insurance companies.


Subject:  Notice to exit the premises No6855

Subject: Evition notice No0393

Subject: Eviction notification No6741

Subject: Urgent eviction notice No4117

Subject:  Vacate notice No5155

Eviction letter,

You are hereby notified that your tenancy of the premises specified
in the attachment to this letter is terminated on 03/26/2014 and on that day
you will be required to quit the occupied premises.

If you do not move until the specified date you will be fined
and held administratively or criminally liable.

Court bailiff,
Ava Tailor

Lawsuit_Details _Attache_N670-76.zip (110)

Subject: Notice to quit No2352

Eviction Notification,

Please be advised that you are obliged to
vacate the living space you occupy until March 27, 2014, 11 a.m.

If you do not vacate it in the specified terms,
the court will have to assign the forcible eviction for April 24, 2014, 11 a.m.
If nobody is home we will not be responsible for safe keeping of your belongings.
Besides, if you fail to comply with the requirements of the court bailiff
you will be fined for up to 200 minimum wage amounts
with a subsequent doubling of the penalty amount
and can be made criminally or administratively liable.

The details of the circumstances that caused the judicial decision
of eviction are attached herewith.

Court bailiff,
WARD ORTEGA

Copy_Of_The_Court_Statement_N0229.zip (112)

Subject: Notice to quit No6505

Eviction notification,

You are hereby given notice that you are in breach
of your tenancy of the premises you currently occupy.

To remedy the breach you have to quit
the premises within the following four weeks.

If you fail to comply you will be physically removed
and fined for up to 100 minimum monthly wages.

Detailed information is attached herewith.

Court secretary,
DICKERSON LANE

Lawsuit_Details _Copy_ID837-35.zip (110)

Subject: Notice of eviction No5957

Notice to quit,

We regret to inform you that in the period until 04/25/14
you will have to relocate from the currently occupied premises.

If the property is not timely vacated we will have to apply sanctions against you.

Case details are attached to the present notice.

Court secretary,
LANDRY HYDE

Lawsuit_Details _Copy_SN_80-400.zip (108)

Subject: Eviction notification No1110

Eviction Notification,

Be advised that you must exit the occupied premises
until March 03, 2014 or be forcibly removed!

Any resistance will be met with strict legal sanctions
or forcible removal of your family from your home.

Find a copy of the vacate notice in the attachment to this notification.

Court representative,
PALMER Graves

Vacate_Notice_UID52-176.zip (108)

Subject: For the Attention of Household Member

Notice to move out,

As you have been failing to keep your payments
for the property, the bank has decided to foreclose on it
and now you are legally considered a trespasser.

First of all, you have to contact our office in order
we could make all arrangements for your move out
in the allowed time.
It is vital you contact us before March 20, 2014.

Enclosed are the bank resolution and our contact details.

Real estate agency,
Diana Smith

Resolution_details_RE_59625.zip (103)

Header Examples:

Spoofs some law firm like davispolk.com in headers. Asprox tends to be consistent in From, Envelope, and HELO. This series will iterate through several law firms, as well as some made-up ones.

Received: from davispolk.com [68.46.108.130]
X-Envelope-From: support048 @davispolk.com
From: "Eviction Letter" <support048 @davispolk.com>
Subject: Eviction notification No6741

Received: from perkinscoie.com (97-96-108-132.res.bhn.net) [97.96.108.132] X-Envelope-From: service_notice @perkinscoie.com From: "Eviction Notice" <service_notice @perkinscoie.com> Subject: Notice to quit No9269

Received: from littler.com (cpe-74-72-162-206.nyc.res.rr.com) [74.72.162.206] X-Envelope-From: support.3 @littler.com From: "Eviction Notification" <support.3 @littler.com> Subject: Vacate notice No6610

Received: from kirkland.com (173.221.165.8.nw.nuvox.net) [173.221.165.8] X-Envelope-From: manager @kirkland.com From: "Notice to quit" <manager @kirkland.com> Subject: Urgent eviction notification No6566

Received: from wilmerhale.com (216-219-29-154.static.networktel.net) [216.219.29.154] X-Envelope-From: information @wilmerhale.com From: "Eviction Letter" <information @wilmerhale.com> Subject: Notice to quit the occupied premises No7559

Received: from mofo.com (mail.grandchuteauto.com) [216.170.208.26] X-Envelope-From: service @mofo.com From: "Vacate Notice" <service @mofo.com> Subject: Urgent eviction notice No0173

Received: from nortonrosefulbright.com (....irvnca.sbcglobal.net) [75.63.28.163]
X-Envelope-From: notice_support.4 @nortonrosefulbright.com
From: "Eviction Notification" <notice_support.4 @nortonrosefulbright.com>
Subject: Eviction notification No1110

Received: from wag-insurance.com (cpe-24-210-252-40.neo.res.rr.com) [24.210.252.40] X-Envelope-From: notice_support.6 @wag-insurance.com From: "Notice to move out" <notice_support.6 @wag-insurance.com> Subject: For the Attention of Household Member

An interesting artifact may be that the Windows NetBios name or hostname will be in the Message-ID header.

Message-ID: <000d01cf1e88878ac7b24701a8c0 @columbia-08>
Message-ID: <000e01cf1e94c069620a9101a8c0 @LoveonaHanger>
Message-ID: <002601cf1e8f75130ecd0201a8c0 @Raysjoy-PC>
Message-ID: <001401cf1e8b3dc484e81407180a @HPT-CIRC-2>
Message-ID: <002801cf1e8226f51c660200a8c0 @Art-PC>

Attachment Samples:

31 January 2014

Lawsuit_Details _Attache_N670-76.zip containing Copy_Lawsuit_Details _Court _Bailiff.exe | VirusTotal report | Malwr.com report  

1 March 2014

VirusTotal report 

AntiVir 		TR/Dldr.Kuluoz.D.1281 	
BitDefender Trojan.Agent.BBYG
Bkav HW32.CDB.613e 20140228
CMC Packed.Win32.Obfuscated.4!O
Commtouch W32/Trojan.LZKC-0559
DrWeb BackDoor.Kuluoz.4
ESET-NOD32 Win32/TrojanDownloader.Zortob.B
Emsisoft Trojan.Agent.BBYG (B)
F-Prot W32/Trojan3.HPZ
F-Secure Trojan.Agent.BBYG
GData Trojan.Agent.BBYG
Microsoft TrojanDownloader:Win32/Kuluoz.D
Panda Suspicious file
Qihoo-360 Malware.QVM20.Gen
Rising PE:Malware.FakeDOC@CV!1.9C3B
Sophos Troj/Weelsof-CS
VIPRE Trojan.Win32.Generic!BT

Malwr.com report 

not much here because kuluoz trojans avoid virtualbox

File-Analyzer.net report 

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\dfitsjkj.exe
Binary may include packed or encrypted data
Creates mutex: \BaseNamedObjects\2GVWNQJz1
Detects virtual machines to hinder analysis (VM artifact strings found in memory)
Binary or memory string:
VBoxTray.exe
HARDWARE\ACPI\DSDT\VBOX__
vmusrvc.exe
VMwareDragDetWndClass
VBoxService.exe
VMware
VMwareSwitchUserControlClass
vmtoolsd.exe
vmsrvc.exe
AV process strings found (often used to terminate AV products)
Binary or memory string:
wireshark.exe
Queries the cryptographic machine GUID
Queries the installation date of Windows
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device

About those attachments.

Asprox has always been big on keeping it fresh. They like to make a small change to the exe file so that it scans like new to many anti-virus suites. In the last couple months it seemed like they went to a 3-times-a-day schedule where malware would be a new version. As of around 1 February 2014, it looks like almost EVERY exe is a little different. The basic functionality of the trojan is generally unchanged though: gain control of your computer.

Attached files examples and spoofed domains

perkinscoie.com
Lawsuit_Details _Attache_ID38-816.zip

davispolk.com
Lawsuit_Details _Attache_N090-75.zip

kirkland.com
Lawsuit_Details _Copy_SN_15-836.zip

littler.com
Lawsuit_Details _Copy_ID555-15.zip

mayerbrown.com
Lawsuit_Details _Court_Bailiff_ID937-09.zip

wilmerhale.com
Vacate_Notice_Copy_N4439-780.zip

nortonrosefulbright.com
Court_Statement_ID902-68.zip

mofo.com
Vacate_Notice_UID52-176.zip

wag-insurance.com
Resolution_details_RE_59625.zip

More about Asprox

   Kimberly at StopMalvertising.com on asprox

   Michal Ambroz at Rebus Snippets on asprox

   Herrcore's post on asprox

What happens when Asprox has control of your computer?

Among other things:

  Your computer can be used to spam more people with malware.

  Your computer can be used to commit advertisement fraud.

Samples provided to Clam AV and Microsoft Security when this article was created.

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity