court

  • Hearing of your case in Court NR#... - Virus

    Email:

    A fake Notice to Appear at court claims you need to bring all documents and witnesses. Later versions mention pretrial notice and being a defendant for something like illegal software use.

    Attached zip file contains an exe virus or trojan horse.

    Spoofs some law firm domain like jonesday.com, lw.com, mwe.com, hoganlovells.com, skadden.com, gibsondunn.com,  cov.com, bakerbotts.com, orrick.com, bryancave.com, perkinscoie.com, alston.com,  dechert.com, sullcrom.com, or seyfarth.com in headers.

    This is an Asprox botnet email spreading Kuluoz / Dofoil malware.

    Jones Day / Latham & Watkins / Hogan Lovells / McDermott Will & Emery / Skadden, Arps, Slate, Meagher & Flom / Gibson Dunn / Covington & Burling / Baker Botts / andOrrick, Herrington & Sutcliffe / Bryan Cave / Perkins Coie / Alston & Bird / Dechert / Sullivan & Cromwell / Seyfarth Shaw are real law firms, these emails are NOT from them.

    On 11 March 2014, there was a series of copy-cat "notice to appear in court" emails that basically copied this series. Different botnet, different malware. And once again, Asprox was doing it before it was cool.


    Subject: Pretrial notice

     BRYAN CAVE

    A Broader Perspective

    Pretrial notice Hereby we inform that you are obliged to come as a defendant to North Carolina Court of Appeals on
    February 15th, 2015 at 11:00 a.m. for the hearing of your case of illegal software use.

    If necessary you have a right to obtain a lawyer for your protection. You are kindly asked to have an identity
    document with you. Personal appearance is compulsory.

    Please find the plaint note with more detailed case information on our site and study it thoroughly.

    Court clerk,
    Santiago Andrews

    Copyright 2015 (c) All rights reserved

     Picture of fake Bryan Cave lawfirm email with malware links.

    Subject: Notice to Appear in Court

    ReedSmith

    The business of relationships

    Notice to Appear,

    To view copy of the court notice click here. Please, read it thoroughly.

    Note: If you do not attend the hearing the judge may hear the case in your absence.

    Copyright (c) 2015 | All right reserved

    Picture of fake Reed Smith malware email.

    Subject: Urgent court notice

     Skadden

    Skadden, Arps, Slate, Meagher, & Flom LLP, Affiliates

    Notice to Appear,

    Hereby you are notified that you have been scheduled to appear for your hearing that will take
    place in the court of Washington in February 10, 2015 at 10:00am. Please bring all documents and
    witnesses relating to this case with you to Court on your hearing date.

    Please, read the copy of the court notice thoroughly.

    Note: If you do not attend the hearing the judge may hear the case in your absence.

    Clerk of Court
    Jacob House

    Copyright (c)2015

    Picture of fake Skadden Arps lawfirm malware email.

    Subject:Hearing of your case in Court NR#3578

    Subject: Urgent court notice NR#86455

    Subject: Notice to appear in court NR#9530

    Subject: Notice of appearance in court NR#1376

    Subject: #Notice of appearance in court Order 9236

    Subject: #Notice to appear in court Order 6435

    Subject: #Urgent court notice Order 91995

    Notice to Appear,

    Hereby you are notified that you have been scheduled to appear for your hearing that
    will take place in the court of Washington in January 19, 2014 at 10:00 am.

    Please bring all documents and witnesses relating to this case with you to Court on your hearing date.

    The copy of the court notice is attached to this letter.
    Please, read it thoroughly.

    Note: If you do not attend the hearing the judge may hear the case in your absence.

    Yours truly,
    Ruth Mason
    Clerk to the Court.

    Court_Notice_Jones_Day_Wa#5837.zip (118)

    Other clerk names: (These are a LOT like the Beauty Contest Winner CV emails)

    Chloe Smith
    Ruth Tailor
    Ruth Mason Karen Tailor Alena Mason
    Emily Mason
    Dorothy Smith Evie Tailor Alison Tailor Maria Mason Helen Mason
    Bruce Tailor <-- well... except that guy.

    Subject:Notice to appear in court No#6938

    Hereby you are informed that you are due in the court of New York
    on the 12 of January, 2014 at 09:00 am for the hearing of your case.
    You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.

    Please, download the copy of the court notice attached herewith to read the details.
    Note: The case may be heard by the judge in your absence if you do not come.

    Yours truly,
    Thompson Gonzalez
    Clerk to the Court.

    Court_Notice_Latham_and_Watkins__NY82569.zip (121)

    Subject: Notice of appearance in court CH#6016

    Notice to appear,

    Hereby you are notified that you are expected
    in Chicago Court for the hearing of you case in January 21, 2014.

    Enclosed please find the copy of the court notice for the case mentioned above.
    Attendance compulsory.

    Yours very truly,
    BOONE Goff
    Clerk of court.

    Court_Notice_Chicago_CN03514.zip (122)

    Subject:Urgent court notice No67075

    Notice to Appear in Court,

    This is to advise that you are required to attend
    the court of Los Angeles in January 9, 2014 for the hearing of your case.

    Please, kindly prepare and bring the documents related to this case to Court on the date mentioned above.
    Attendance is compulsory.

    The copy of the court notice is attached to this letter, please, download and read it thoroughly.

    FISCHER MADDOX
    Clerk to the Court.

    Court_Notice_Los_Angeles_No7507.zip (145)

    Subject: #Notice to appear in court NO1441-111

    Notice to appear,

    Hereby you are notified that you are expected
    in St. Louis Court for the hearing of your case in January 8, 2014.

    Enclosed please find the copy of the court notice for the case mentioned above.
    Attendance compulsory.

    Yours very truly,
    FAULKNER HENRY
    Clerk of court.

    03_12_14_Court_Notice_St._Louis_9649.zip (115)

    Subject: #Hearing of your case in Court 60567

    Subject: Illegal software use #order #No908

    Subject: Judicial summons No6186

    Subject: Pretrial notice No3866

    Pretrial notice,

    Hereby we inform that you are obliged to come as a defendant
    to The Court of Louisiana in February 26, 2014 at 09:00 a.m.
    for the hearing of your case of illegal software use.
    If necessary you have a right to obtain a lawyer for your protection.

    You are kindly asked to have an identity document with you.
    Personal appearance is compulsory.

    Please find the plaint note with more detailed case information
    attached to this letter and study it thoroughly.

    Court clerk,
    Isabella Mason

    Plaint Note_06_01_2014_No8100.zip (113)

     

    Notice of appearance,

    You are hereby notified that you are required to attend
    the court of Chicago in January 11, 2014 as a defendant
    for the hearing of a pirated software case.

    Compulsory attendance.
    You may have the services of a lawyer, if necessary.
    Failure to appear may result in the imposition of sanctions.

    More detailed information regarding the case can be found attached to this letter.

    Court agent,
    Susan Mason

    10-01-2014_Notice_of_Appearanc_Information_No56686.zip (112)

    Subject: Notice of court attendance No7305

    Court hearing notice.

    As a defendant you have been scheduled
    to attend the hearing in the Court of New York.
    Hearing date: 28 January 2014
    Hearing time: 9:00 a.m.

    Hearing subject: illegal use of software.
    Prior to the court thoroughly study the plaint note in the attachment to this mail.

    Sincerely,
    Court agent,
    Mary Mason

    Plaint_Note_US_Copy_N2275.zip (147)

    Headers and sources

    URL-style emails

    These almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

    A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Baker & McKenzie" <support@ [ domain of compromised web server]>
    Subject: Hearing of your case in Court

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Bryan Cave" <support@ [ domain of compromised web server]>
    Subject: Judicial summons

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Hogan Lovells" <support@ [ domain of compromised web server]>
    Subject: Notice of appearance in court

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Skadden" <support@ [ domain of compromised web server]>
    Subject: Pretrial notice

    Also :
    Subject: Urgent court notice
    Subject: Illegal software use
    Subject: Notice of appearance

    Attachment-style emails

     These usually come from infected PCs, Spoofs a specific law firm like jonesday.com, lw.com, hoganlovells.com, mwe.com in From, Envelope, and HELO. These iterate through several domains but be consistent in the email. This is an Asprox email, not sloppy like the Cutwails.

    Received: from alston.com (mail.gothamsales.com) [173.15.171.58]
       X-Envelope-From: help.support016 @alston.com
       From: "Pretrial Notice" <help.support016 @alston.com>
       Subject: Court notification No726

    Received: from dechert.com (mail.medvetohio.com) [74.218.67.50] X-Envelope-From: information @dechert.com From: "Illegal software" <information @dechert.com> Subject: Judicial summons ID8906

    Received: from sullcrom.com (173-161-7-6-Illinois.hfc.comcastbusiness.net) [173.161.7.6] X-Envelope-From: notice_support.4 @sullcrom.com From: "Pretrial Notice" <notice_support.4 @sullcrom.com> Subject: Illegal software use #number #N#130

    Received: from seyfarth.com [69.80.69.226] X-Envelope-From: support.5 @seyfarth.com From: "Notice of Appearance" <support.5 @seyfarth.com> Subject: Judicial summons No3354

    An interesting artifact, the NETBIOS name of the infected windows computer is in the Message-ID header:

    Message-ID: <002401cefff99e3a2b782000000a @jacques-pc>
    Message-ID: <002b01cf000e988a97980201a8c0 @CATHY-DESKTOP>
    Message-ID: <000901cefff0a1423b818114a8c0 @SCHEDULING2>
    Message-ID: <002601cefff6d33f57cc4db366ae @Owner-PC>
    Message-ID: <002801cefff9249b166a0400a8c0 @PickeringComp>
    Message-ID: <000e01cf0015b42fb3289101a8c0 @JackBrenner-PC>
    Message-ID: <000d01cf000c8b2775bc1200000a @JOHN-PC>
    Message-ID: <000b01cf002f$3de2c406$0401a8c0 @JaneikaSweet-PC>
    Message-ID: <002501cf002f4cf202eb53e77018 @robertandmel-PC>

    Malware:

    7 January 2015

    Link to download : ReedSmith_Notice_00734995.zip containing ReedSmith_Notice_00734995.exe

    The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

    Some url examples:

    agava-artpak.com/proxy.php?rs=cfKmrhc0KWFosYRo69yv5v9BhSSvxsNrbVuCaGec/FQ
    airoweb.com/test.php?rs=u6JbL/8tCI7VdQfIdXFQEgJDeNcdD/ntYNMQb/wvlUo
    client.thelode.com.au/db.php?rs=yS8WUfOxSLmhYrJ4cIewjZuT/FRSaKBR+zMT61OQBzU
    download.levelxstudios.com/db.php?rs=Nby8+ET234q+g/GDu0lZl1sOwOX2qsOAm0yBavpDGUc
    secure.badgercomplianceconsulting.com/code.php?rs=tnCRoJbLtKG3gEgTNmD8mZDikvj4DpeDh8MGhSa4si0
    vaultsage.com/code.php?rs=9WKhIfuiGKyMuBr3gvkU6g9s7atFOalPm4gVOWtAo9g
    admin.ttc-toggenburg.ch/search.php?sk=Larw1RxhFglpQiOnaiZ9c2r+RuddWbHB69py+hUWnKU
    aszh.com/global.php?sk=B4q8qSd/OEHV+4fyO0QynvJiz/Il1IYxrXqolaCFMSM
    avout.com/global.php?sk=Kw7WhtDwyhiv0DLwS3w74gJAEvhYGFCVru4StwcVzW8
    madeathens.gr/defines.php?sk=RnipY1ERaCWFB9V+P4hDZzPmveRdTpXF8iyLaW9srb8
    podologuethonon.com/code.php?sk=Nsix1k3KH4EgsB9LLNxOiaaNt0UG6tpF7l3vEbzYwT8

    The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer.

    VirusTotal report 

    Avast 		Win32:Malware-gen
    ESET-NOD32 Win32/TrojanDownloader.Zortob.H
    McAfee Downloader-FAII!139376F90938
    Norman Kuluoz.KX
    Rising PE:Malware.FakeDOC@CV!1.9C3C

    Malwr.com report 

    These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

    Picture of trojan run from law firm complaint malware email.

    This sample runs like a champ. Injects to systray.exe (which is kind-of new, it used to be svchost.exe), aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

    192.241.135.69:443
    31.186.5.20:8080
    194.146.226.230:8080
    109.234.156.83:8080
    67.18.12.2:8080
    185.66.12.185:443

    23 December 2013

    VirusTotal report | Malwr.com report 

    VirusTotal report | Mawlr.com report | File-Analyzer.net report

    24 December 2013

    VirusTotal report | Malwr.com report| File-Analyzer.net report

    30 December 2013

    VirusTotal report | Malwr.com report | File-Analyzer.net report 

    3 January 2014

    VirusTotal report  | Malwr report | File-Analyzer.net report

     

    More about Asprox

    Kimberly at StopMalvertising.com on asprox

    Michal Ambroz at Rebus Snippets on asprox

    Herrcore's post on asprox

    What happens when Asprox has control of your computer?

    Among other things:

      Your computer can be used to spam more people with malware.

      Your computer can be used to commit advertisement fraud.

    If this was at least a little helpful, how about a +1, Like, or Tweet?

  • Your application received - Asprox Malware

    Email:

    Virus spam email claiming to be from various law firms states that they received your complaint and it will be reviewed in court or initiate a trial.

    Links go to download the Asprox malware trojan, called Kuluoz.


    Subject: Your application received

     Baker & McKenzie 

    Pretrial notice

    Hereby we confirm that your complaint has been received together with enclosures dated December 29, 2014.
    The complaint will be reviewed in court in the nearest possible time based on the documents and information
    you have previously provided.

    You do not have to be present at trial in person if the Court does not suggest otherwise.
    Please use this link to check your complaint once again and confirm it.
    If we do not get your confirmation the claim will be cancelled.
    You will be further notified without delay of any judgement delivered in regard to your complaint.

    Sincerely,
    Court secretary
    Michael Moody

    &copy Baker & McKenzie 2015

    Picture of fake Baker McKenzie malware email.

    Subject: Your application received

     Hogan Lovells 

    Confirmation letter

    Since we confirm that your complaint and attached documents dated 01/05/15 have been received, you will now need
    to follow this link and confirm it in order we could initiate the judicial proceedings.

    If we do not have your confirmation we will have to cancel the claim. Please do this without delay.

    You do not have to be in court on the date of the hearing but you will be notified of the results in an urgent letter.

    Sincerely,
    Clerk of the court

    2015 Hogan Lovells | All Rights Reserved.

    Picture of fake Hogan Lovels malware email.

    Subject:  Your application received

     Letter of acknowledgement 

    Hereby you are advised that we have received your complaint with enclosures dated 01/29/14.
    Shortly after we receive your complaint confirmation we will initiate a trial. You are not actually
    required to attend the court proceeding, the results will be sent to you in a letter without delay.

    Please confirm your complaint here otherwise the claim is cancelled.

    Faithfully,
    Court secretary

     Picture of the application received malware email from around february 2014.

    Subject: Regarding your complaint

     SIDLEY
    Sidney austin LLP
    Sidley is a global law firm...

    Confirmation letter

    I am writing to notify you that your complaint form was received and docketed for the soonest consideration.
    To avoid cancellation of your complaint, you need to download complaint, check your application and confirm it
    if you still agree with your statements.

    If they are considered substantial and well-grounded we will bring them to trial.
    Your presence in court will not be required - you will be informed about the outcome of judicial proceedings in a letter.

    Sincerely,
    Court Executive for Legal Affairs

    Copyright

    Picture of fake Sidney Austing law firm email with malware link.


    Headers:

    Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

    A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Baker & McKenzie" <support@ [ domain of compromised web server]>
    Subject: Your application received

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Bryan Cave" <support@ [ domain of compromised web server]>
    Subject: Regarding your complaint

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Hogan Lovells" <support@ [ domain of compromised web server]>
    Subject: Your claim received

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Skadden" <support@ [ domain of compromised web server]>
    Subject: Your complaint received

    Malware:

    The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

    Some url examples:

    airoweb.com/test.php?hl88Oo++CRHWQqlBh7JaxwsvXlJpCc9dxwGBAtZigWS1g
    akbidpasbar.ac.id/dirs.php?hl8e2oLUwj/Rw/IAJIh6tHv0ll/mDqFUsIVLGDDAHVOzw
    askcedric.com/global.php?hlsHcllecWt3/BusRlPX+V0PCokqfO0g4ax1fuD628Sw4
    azur-it.com/global.php?hlAf98Xd9vz3+2AipFCX2AY0EHzW9vzHHAJqIaAI5vMV8
    emailr.eu/xml.php?hlfuvbA1T6tifj4e4SRY8awzu3FtD3KORbuKvj5JbzQd0
    madeathens.gr/defines.php?hl/3zQK6o3ddHoJWAmdujoJg9BLZjfWw3d5uKQNJaYfDI
    bancodesolucoes.com/global.php?hlDe22c6rOqxB5OUWcApF7izlbhdEsPF8HhQvJH0Tbuoo
    client.thelode.com.au/db.php?hlyEpk6y8zyTERig42R2ZWHAAj0qLrFGQgHHusNsnquGc
    acenteweb.com/utf.php?bkkWXG0XmnRcy6ghzbxZUF0zN0wsB+wlPr79T3WSjxWKg
    advancedlubes.com/dirs.php?bkwhcJUxy+jgWtBfpNeXDQgg0ZEV9CbGwwPodpCWwaVjM
    birdexplorers.com/proxy.php?bkVWSsdzJAdKwJ3jW+d3lAYPY6QdTHwTbvSnbo8BtzLxk
    duirforester.com/page.php?bkFGHuvkXq0C/41NUHd6zMS0P1JqvxdgPB58PKB6TpZwE
    softwareforyourmind.org/system.php?bkhMyRsg3BjeicRHhJAqA7sZId016MyccYQzJh942/8YM
    unixhelpdesk.de/page.php?bkR7/LNl3q2KevbxiOgXhapbJY9vcotTeEjBbimO/lj7g
    bullngoose.com/ini.php?sid=yAGQFhNEt9l6j3WitdzAyzNpKdv13G5S2oqmQxKlv6E
    festivalfilmlibanais.com/list.php?sid=CSzcUKIUBi92E8Q392FtV0ajqAkCaz9l+053kpYA8Rs
    hotelminmyanmar.com/xml.php?sid=GgXsY8DbIv8Zmi3+WQhcfuxDv0+yeoKi17UQOMQBG4k
    hydronit.eu/template.php?sid=yrsetbjwf+4dWGiYj/CffAgF9lQx5w/sMfgQCTjcw7A
    kisiselgelisimmerkezi.net/press.php?sid=GY7N+mgVCHb3GxX8XNB46vuAg6pv1W003dpTe0/dgg0
    music.inreality.az/css.php?sid=kfoRwS1I/7et5CO6NHR6q0ibgMIE6Fe9ULsM+ivt3aA

    The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. In my case, I received HoganLovells_Complaint_00734995.zip containing HoganLovells_Complaint_00734995.exe

    The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

    VirusTotal report 

    Avast 		Win32:Malware-gen
    ESET-NOD32 Win32/TrojanDownloader.Zortob.H
    McAfee Downloader-FAII!139376F90938
    Norman Kuluoz.KX
    Rising PE:Malware.FakeDOC@CV!1.9C3C

    Malwr.com report 

    These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

    Picture of trojan run from law firm complaint malware email.

    This sample runs like a champ. Injects to systray.exe (which is kind-of new, it used to be svchost.exe), aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

    192.241.135.69:443
    31.186.5.20:8080
    194.146.226.230:8080
    109.234.156.83:8080
    67.18.12.2:8080
    185.66.12.185:443

    Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

    If this was at least a little helpful, how about a +1, Like, or Tweet?


      Since we confirm that your complaint and attached documents dated 01/05/15 have been received, you will now need  to follow this link and confirm it in order we could initiate the judicial proceedings.