Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Virus spam email claiming to be from various law firms states that they received your complaint and it will be reviewed in court or initiate a trial.

Links go to download the Asprox malware trojan, called Kuluoz.


Subject: Your application received

 Baker & McKenzie 

Pretrial notice

Hereby we confirm that your complaint has been received together with enclosures dated December 29, 2014.
The complaint will be reviewed in court in the nearest possible time based on the documents and information
you have previously provided.

You do not have to be present at trial in person if the Court does not suggest otherwise.
Please use this link to check your complaint once again and confirm it.
If we do not get your confirmation the claim will be cancelled.
You will be further notified without delay of any judgement delivered in regard to your complaint.

Sincerely,
Court secretary
Michael Moody

&copy Baker & McKenzie 2015

Picture of fake Baker McKenzie malware email.

Subject: Your application received

 Hogan Lovells 

Confirmation letter

Since we confirm that your complaint and attached documents dated 01/05/15 have been received, you will now need
to follow this link and confirm it in order we could initiate the judicial proceedings.

If we do not have your confirmation we will have to cancel the claim. Please do this without delay.

You do not have to be in court on the date of the hearing but you will be notified of the results in an urgent letter.

Sincerely,
Clerk of the court

2015 Hogan Lovells | All Rights Reserved.

Picture of fake Hogan Lovels malware email.

Subject:  Your application received

 Letter of acknowledgement 

Hereby you are advised that we have received your complaint with enclosures dated 01/29/14.
Shortly after we receive your complaint confirmation we will initiate a trial. You are not actually
required to attend the court proceeding, the results will be sent to you in a letter without delay.

Please confirm your complaint here otherwise the claim is cancelled.

Faithfully,
Court secretary

 Picture of the application received malware email from around february 2014.

Subject: Regarding your complaint

 SIDLEY
Sidney austin LLP
Sidley is a global law firm...

Confirmation letter

I am writing to notify you that your complaint form was received and docketed for the soonest consideration.
To avoid cancellation of your complaint, you need to download complaint, check your application and confirm it
if you still agree with your statements.

If they are considered substantial and well-grounded we will bring them to trial.
Your presence in court will not be required - you will be informed about the outcome of judicial proceedings in a letter.

Sincerely,
Court Executive for Legal Affairs

Copyright

Picture of fake Sidney Austing law firm email with malware link.


Headers:

Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Baker & McKenzie" <support@ [ domain of compromised web server]>
Subject: Your application received

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Bryan Cave" <support@ [ domain of compromised web server]>
Subject: Regarding your complaint

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Hogan Lovells" <support@ [ domain of compromised web server]>
Subject: Your claim received

Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
Envelope-From : www-data@ [ domain compromised web server]
From: "Skadden" <support@ [ domain of compromised web server]>
Subject: Your complaint received

Malware:

The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

Some url examples:

airoweb.com/test.php?hl88Oo++CRHWQqlBh7JaxwsvXlJpCc9dxwGBAtZigWS1g
akbidpasbar.ac.id/dirs.php?hl8e2oLUwj/Rw/IAJIh6tHv0ll/mDqFUsIVLGDDAHVOzw
askcedric.com/global.php?hlsHcllecWt3/BusRlPX+V0PCokqfO0g4ax1fuD628Sw4
azur-it.com/global.php?hlAf98Xd9vz3+2AipFCX2AY0EHzW9vzHHAJqIaAI5vMV8
emailr.eu/xml.php?hlfuvbA1T6tifj4e4SRY8awzu3FtD3KORbuKvj5JbzQd0
madeathens.gr/defines.php?hl/3zQK6o3ddHoJWAmdujoJg9BLZjfWw3d5uKQNJaYfDI
bancodesolucoes.com/global.php?hlDe22c6rOqxB5OUWcApF7izlbhdEsPF8HhQvJH0Tbuoo
client.thelode.com.au/db.php?hlyEpk6y8zyTERig42R2ZWHAAj0qLrFGQgHHusNsnquGc
acenteweb.com/utf.php?bkkWXG0XmnRcy6ghzbxZUF0zN0wsB+wlPr79T3WSjxWKg
advancedlubes.com/dirs.php?bkwhcJUxy+jgWtBfpNeXDQgg0ZEV9CbGwwPodpCWwaVjM
birdexplorers.com/proxy.php?bkVWSsdzJAdKwJ3jW+d3lAYPY6QdTHwTbvSnbo8BtzLxk
duirforester.com/page.php?bkFGHuvkXq0C/41NUHd6zMS0P1JqvxdgPB58PKB6TpZwE
softwareforyourmind.org/system.php?bkhMyRsg3BjeicRHhJAqA7sZId016MyccYQzJh942/8YM
unixhelpdesk.de/page.php?bkR7/LNl3q2KevbxiOgXhapbJY9vcotTeEjBbimO/lj7g
bullngoose.com/ini.php?sid=yAGQFhNEt9l6j3WitdzAyzNpKdv13G5S2oqmQxKlv6E
festivalfilmlibanais.com/list.php?sid=CSzcUKIUBi92E8Q392FtV0ajqAkCaz9l+053kpYA8Rs
hotelminmyanmar.com/xml.php?sid=GgXsY8DbIv8Zmi3+WQhcfuxDv0+yeoKi17UQOMQBG4k
hydronit.eu/template.php?sid=yrsetbjwf+4dWGiYj/CffAgF9lQx5w/sMfgQCTjcw7A
kisiselgelisimmerkezi.net/press.php?sid=GY7N+mgVCHb3GxX8XNB46vuAg6pv1W003dpTe0/dgg0
music.inreality.az/css.php?sid=kfoRwS1I/7et5CO6NHR6q0ibgMIE6Fe9ULsM+ivt3aA

The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. In my case, I received HoganLovells_Complaint_00734995.zip containing HoganLovells_Complaint_00734995.exe

The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

VirusTotal report 

Avast 		Win32:Malware-gen
ESET-NOD32 Win32/TrojanDownloader.Zortob.H
McAfee Downloader-FAII!139376F90938
Norman Kuluoz.KX
Rising PE:Malware.FakeDOC@CV!1.9C3C

Malwr.com report 

These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

Picture of trojan run from law firm complaint malware email.

This sample runs like a champ. Injects to systray.exe (which is kind-of new, it used to be svchost.exe), aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

192.241.135.69:443
31.186.5.20:8080
194.146.226.230:8080
109.234.156.83:8080
67.18.12.2:8080
185.66.12.185:443

Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

If this was at least a little helpful, how about a +1, Like, or Tweet?


  Since we confirm that your complaint and attached documents dated 01/05/15 have been received, you will now need  to follow this link and confirm it in order we could initiate the judicial proceedings.