Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

A fake Notice to Appear at court claims you need to bring all documents and witnesses. Later versions mention pretrial notice and being a defendant for something like illegal software use.

Attached zip file contains an exe virus or trojan horse.

Spoofs some law firm domain like jonesday.com, lw.com, mwe.com, hoganlovells.com, skadden.com, gibsondunn.com,  cov.com, bakerbotts.com, orrick.com, bryancave.com, perkinscoie.com, alston.com,  dechert.com, sullcrom.com, or seyfarth.com in headers.

This is an Asprox botnet email spreading Kuluoz / Dofoil malware.

Jones Day / Latham & Watkins / Hogan Lovells / McDermott Will & Emery / Skadden, Arps, Slate, Meagher & Flom / Gibson Dunn / Covington & Burling / Baker Botts / and Orrick, Herrington & Sutcliffe / Bryan Cave / Perkins Coie / Alston & Bird / Dechert / Sullivan & Cromwell / Seyfarth Shaw are real law firms, these emails are NOT from them.

On 11 March 2014, there was a series of copy-cat "notice to appear in court" emails that basically copied this series. Different botnet, different malware. And once again, Asprox was doing it before it was cool.


Subject: Pretrial notice

 BRYAN CAVE

A Broader Perspective

Pretrial notice Hereby we inform that you are obliged to come as a defendant to North Carolina Court of Appeals on
February 15th, 2015 at 11:00 a.m. for the hearing of your case of illegal software use.

If necessary you have a right to obtain a lawyer for your protection. You are kindly asked to have an identity
document with you. Personal appearance is compulsory.

Please find the plaint note with more detailed case information on our site and study it thoroughly.

Court clerk,
Santiago Andrews

Copyright 2015 (c) All rights reserved

 Picture of fake Bryan Cave lawfirm email with malware links.

Subject: Notice to Appear in Court

ReedSmith

The business of relationships

Notice to Appear,

To view copy of the court notice click here. Please, read it thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Copyright (c) 2015 | All right reserved

Picture of fake Reed Smith malware email.

Subject: Urgent court notice

 Skadden

Skadden, Arps, Slate, Meagher, & Flom LLP, Affiliates

Notice to Appear,

Hereby you are notified that you have been scheduled to appear for your hearing that will take
place in the court of Washington in February 10, 2015 at 10:00am. Please bring all documents and
witnesses relating to this case with you to Court on your hearing date.

Please, read the copy of the court notice thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Clerk of Court
Jacob House

Copyright (c)2015

Picture of fake Skadden Arps lawfirm malware email.

Subject: Hearing of your case in Court NR#3578

Subject: Urgent court notice NR#86455

Subject: Notice to appear in court NR#9530

Subject: Notice of appearance in court NR#1376

Subject: #Notice of appearance in court Order 9236

Subject: #Notice to appear in court Order 6435

Subject: #Urgent court notice Order 91995

Notice to Appear,

Hereby you are notified that you have been scheduled to appear for your hearing that
will take place in the court of Washington in January 19, 2014 at 10:00 am.

Please bring all documents and witnesses relating to this case with you to Court on your hearing date.

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Yours truly,
Ruth Mason
Clerk to the Court.

Court_Notice_Jones_Day_Wa#5837.zip (118)

Other clerk names: (These are a LOT like the Beauty Contest Winner CV emails)

Chloe Smith
Ruth Tailor
Ruth Mason Karen Tailor Alena Mason
Emily Mason
Dorothy Smith Evie Tailor Alison Tailor Maria Mason Helen Mason
Bruce Tailor <-- well... except that guy.

Subject: Notice to appear in court No#6938

Hereby you are informed that you are due in the court of New York
on the 12 of January, 2014 at 09:00 am for the hearing of your case.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.

Please, download the copy of the court notice attached herewith to read the details.
Note: The case may be heard by the judge in your absence if you do not come.

Yours truly,
Thompson Gonzalez
Clerk to the Court.

Court_Notice_Latham_and_Watkins__NY82569.zip (121)

Subject: Notice of appearance in court CH#6016

Notice to appear,

Hereby you are notified that you are expected
in Chicago Court for the hearing of you case in January 21, 2014.

Enclosed please find the copy of the court notice for the case mentioned above.
Attendance compulsory.

Yours very truly,
BOONE Goff
Clerk of court.

Court_Notice_Chicago_CN03514.zip (122)

Subject: Urgent court notice No67075

Notice to Appear in Court,

This is to advise that you are required to attend
the court of Los Angeles in January 9, 2014 for the hearing of your case.

Please, kindly prepare and bring the documents related to this case to Court on the date mentioned above.
Attendance is compulsory.

The copy of the court notice is attached to this letter, please, download and read it thoroughly.

FISCHER MADDOX
Clerk to the Court.

Court_Notice_Los_Angeles_No7507.zip (145)

Subject: #Notice to appear in court NO1441-111

Notice to appear,

Hereby you are notified that you are expected
in St. Louis Court for the hearing of your case in January 8, 2014.

Enclosed please find the copy of the court notice for the case mentioned above.
Attendance compulsory.

Yours very truly,
FAULKNER HENRY
Clerk of court.

03_12_14_Court_Notice_St._Louis_9649.zip (115)

Subject: #Hearing of your case in Court 60567

Subject: Illegal software use #order #No908

Subject: Judicial summons No6186

Subject: Pretrial notice No3866

Pretrial notice,

Hereby we inform that you are obliged to come as a defendant
to The Court of Louisiana in February 26, 2014 at 09:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.

You are kindly asked to have an identity document with you.
Personal appearance is compulsory.

Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.

Court clerk,
Isabella Mason

Plaint Note_06_01_2014_No8100.zip (113)

 

Notice of appearance,

You are hereby notified that you are required to attend
the court of Chicago in January 11, 2014 as a defendant
for the hearing of a pirated software case.

Compulsory attendance.
You may have the services of a lawyer, if necessary.
Failure to appear may result in the imposition of sanctions.

More detailed information regarding the case can be found attached to this letter.

Court agent,
Susan Mason

10-01-2014_Notice_of_Appearanc_Information_No56686.zip (112)

Subject: Notice of court attendance No7305

Court hearing notice.

As a defendant you have been scheduled
to attend the hearing in the Court of New York.
Hearing date: 28 January 2014
Hearing time: 9:00 a.m.

Hearing subject: illegal use of software.
Prior to the court thoroughly study the plaint note in the attachment to this mail.

Sincerely,
Court agent,
Mary Mason

Plaint_Note_US_Copy_N2275.zip (147)

Headers and sources

URL-style emails

These almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Baker & McKenzie" <support@ [ domain of compromised web server]>
Subject: Hearing of your case in Court

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Bryan Cave" <support@ [ domain of compromised web server]>
Subject: Judicial summons

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Hogan Lovells" <support@ [ domain of compromised web server]>
Subject: Notice of appearance in court

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Skadden" <support@ [ domain of compromised web server]>
Subject: Pretrial notice

Also :
Subject: Urgent court notice
Subject: Illegal software use
Subject: Notice of appearance

Attachment-style emails

 These usually come from infected PCs, Spoofs a specific law firm like jonesday.com, lw.com, hoganlovells.com, mwe.com in From, Envelope, and HELO. These iterate through several domains but be consistent in the email. This is an Asprox email, not sloppy like the Cutwails.

Received: from alston.com (mail.gothamsales.com) [173.15.171.58]
   X-Envelope-From: help.support016 @alston.com
   From: "Pretrial Notice" <help.support016 @alston.com>
   Subject: Court notification No726

Received: from dechert.com (mail.medvetohio.com) [74.218.67.50] X-Envelope-From: information @dechert.com From: "Illegal software" <information @dechert.com> Subject: Judicial summons ID8906

Received: from sullcrom.com (173-161-7-6-Illinois.hfc.comcastbusiness.net) [173.161.7.6] X-Envelope-From: notice_support.4 @sullcrom.com From: "Pretrial Notice" <notice_support.4 @sullcrom.com> Subject: Illegal software use #number #N#130

Received: from seyfarth.com [69.80.69.226] X-Envelope-From: support.5 @seyfarth.com From: "Notice of Appearance" <support.5 @seyfarth.com> Subject: Judicial summons No3354

An interesting artifact, the NETBIOS name of the infected windows computer is in the Message-ID header:

Message-ID: <002401cefff99e3a2b782000000a @jacques-pc>
Message-ID: <002b01cf000e988a97980201a8c0 @CATHY-DESKTOP>
Message-ID: <000901cefff0a1423b818114a8c0 @SCHEDULING2>
Message-ID: <002601cefff6d33f57cc4db366ae @Owner-PC>
Message-ID: <002801cefff9249b166a0400a8c0 @PickeringComp>
Message-ID: <000e01cf0015b42fb3289101a8c0 @JackBrenner-PC>
Message-ID: <000d01cf000c8b2775bc1200000a @JOHN-PC>
Message-ID: <000b01cf002f$3de2c406$0401a8c0 @JaneikaSweet-PC>
Message-ID: <002501cf002f4cf202eb53e77018 @robertandmel-PC>

Malware:

7 January 2015

Link to download : ReedSmith_Notice_00734995.zip containing ReedSmith_Notice_00734995.exe

The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

Some url examples:

agava-artpak.com/proxy.php?rs=cfKmrhc0KWFosYRo69yv5v9BhSSvxsNrbVuCaGec/FQ
airoweb.com/test.php?rs=u6JbL/8tCI7VdQfIdXFQEgJDeNcdD/ntYNMQb/wvlUo
client.thelode.com.au/db.php?rs=yS8WUfOxSLmhYrJ4cIewjZuT/FRSaKBR+zMT61OQBzU
download.levelxstudios.com/db.php?rs=Nby8+ET234q+g/GDu0lZl1sOwOX2qsOAm0yBavpDGUc
secure.badgercomplianceconsulting.com/code.php?rs=tnCRoJbLtKG3gEgTNmD8mZDikvj4DpeDh8MGhSa4si0
vaultsage.com/code.php?rs=9WKhIfuiGKyMuBr3gvkU6g9s7atFOalPm4gVOWtAo9g
admin.ttc-toggenburg.ch/search.php?sk=Larw1RxhFglpQiOnaiZ9c2r+RuddWbHB69py+hUWnKU
aszh.com/global.php?sk=B4q8qSd/OEHV+4fyO0QynvJiz/Il1IYxrXqolaCFMSM
avout.com/global.php?sk=Kw7WhtDwyhiv0DLwS3w74gJAEvhYGFCVru4StwcVzW8
madeathens.gr/defines.php?sk=RnipY1ERaCWFB9V+P4hDZzPmveRdTpXF8iyLaW9srb8
podologuethonon.com/code.php?sk=Nsix1k3KH4EgsB9LLNxOiaaNt0UG6tpF7l3vEbzYwT8

The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer.

VirusTotal report 

Avast 		Win32:Malware-gen
ESET-NOD32 Win32/TrojanDownloader.Zortob.H
McAfee Downloader-FAII!139376F90938
Norman Kuluoz.KX
Rising PE:Malware.FakeDOC@CV!1.9C3C

Malwr.com report 

These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

Picture of trojan run from law firm complaint malware email.

This sample runs like a champ. Injects to systray.exe (which is kind-of new, it used to be svchost.exe), aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

192.241.135.69:443
31.186.5.20:8080
194.146.226.230:8080
109.234.156.83:8080
67.18.12.2:8080
185.66.12.185:443

23 December 2013

VirusTotal report | Malwr.com report 

VirusTotal report | Mawlr.com report | File-Analyzer.net report

24 December 2013

VirusTotal report | Malwr.com report | File-Analyzer.net report

30 December 2013

VirusTotal report | Malwr.com report | File-Analyzer.net report 

3 January 2014

VirusTotal report  | Malwr report | File-Analyzer.net report

 

More about Asprox

Kimberly at StopMalvertising.com on asprox

Michal Ambroz at Rebus Snippets on asprox

Herrcore's post on asprox

What happens when Asprox has control of your computer?

Among other things:

  Your computer can be used to spam more people with malware.

  Your computer can be used to commit advertisement fraud.

If this was at least a little helpful, how about a +1, Like, or Tweet?