Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake CriticalReach.org or NYC.gov bulleting claims there is a homicide suspect in some location that you presumably care about and that a copy of the bulletin is in the attached pdf file.

Attached zip file contains an exe or scr virus or trojan horse.

Spoofs criticalreach.org or nyc.gov in From headers.


Subject:  Homicide Suspect

Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: Huntington Park Police
Sending Location: CA - Los Angeles - Huntington Park
Bulletin DateTime: 2014-03-25 @ 18:42
Bulletin Case#: 14-74380
Bulletin Author: BARILLAS #9395
Sending User #: 53102
APBnet Version: 236980

The bulletin is a pdf attachment to this email.
The Adobe Reader (from Adobe.com) will display and print the bulletin best.

You can Not reply to the bulletin by clicking on the Reply button in your email software.

~apbnet00~50~44b76b05-3e01-414a-8469-04f234689df3~Email.zip (10)

Subject: Homicide Suspect

Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: US - NY - New York Police
Bulletin Case#: 14-93064
Bulletin Author: BARILLAS #6443
Sending User #: 74087
APBnet Version: 511090

The bulletin is a pdf attachment to this email.
The Adobe Reader (from Adobe.com) will display and print the bulletin best.

You can Not reply to the bulletin by clicking on the Reply button in your email software.

Homicide-case#259.zip (9)

Header Examples:

Spoofs criticalreach.org or nyc.gov in From headers and leaves something else like aexp.com in Envelope headers.

Received: from cal.eth.net [61.11.71.107]
X-Envelope-From: fraud @aexp.com
From: "ALERT @CriticalReach.Org" <ALERT @CriticalReach.Org>
Subject: Homicide Suspect

Received: from [46.209.88.64]
X-Envelope-From: fraud @aexp.com
From: "ALERT @CriticalReach.Org" <ALERT @CriticalReach.Org>
Subject: Homicide Suspect

Received: from cable-24-135-72-25.dynamic.sbb.rs [24.135.72.25]
X-Envelope-From: fraud @aexp.com
From: "ALERT @CriticalReach.Org" <ALERT @CriticalReach.Org>
Subject: Homicide Suspect

Received: from mail.deutschepharma.com.pe [190.41.82.164]
X-Envelope-From: ALERT @mail.deutschepharma.com.pe
From: "ALERT @nyc.gov" <ALERT @nyc.gov>
Subject: Homicide Suspect

Received: from LPuteaux-656-01-69-190.w82-127.abo.wanadoo.fr [82.127.47.190]
X-Envelope-From: ALERT @LPuteaux-656-01-69-190.w82-127.abo.wanadoo.fr
From: "ALERT @nyc.gov" <ALERT @nyc.gov>
Subject: Homicide Suspect

Attachment Samples:

26 March 2014

~apbnet00~50~44b76b05-3e01-414a-8469-04f234689df3~Email.zip containing ~apbnet00~50~44b76b05-3e01-414a-8469-04f234689df3~Email.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report

7 April 2014

Homicide-case#259.zip containing directory Homicide-case#259 (2) containing Homicide-case#259.scr

VirusTotal report 

Qihoo-360 	HEUR/Malware.QVM20.Gen 
Sophos Mal/Generic-S

Malwr.com report 

Starts servers listening on 0.0.0.0:0, 0.0.0.0:8201, 0.0.0.0:6710
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP GETs: kworldgroup.com/css/0804UKc.jpi

File-Analyzer.net report 

Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Drops:
C:\Users\admin\AppData\Local\Temp\smcoc.exe
C:\Windows\System32\drivers\2a128.sys
C:\Users\admin\AppData\Local\Temp\Ajuq\ofmoi.exe
C:\Users\admin\AppData\Local\Temp\ppcrlui_3020_2
C:\Users\admin\AppData\Local\Temp\wympi.exe
Binary may include packed or encrypted data
Contains functionality to inject threads in other processes
Contains functionality to launch a program with higher privileges
Queries the cryptographic machine GUID
Queries the installation date of Windows

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?