Having just received a copy of what appears to be the last active domain involved in last week's "Copyright Lawsuit filed against you" themed malware campaign, it's time to conduct a brief assessment of its inner workings.
Subject used: Copyright Lawsuit filed against you
Sample message: March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013
To Whom It May Concern:
On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
www.touchstoneadvisorsonline.com /lawsuit/suit_documents.doc
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.
Sincerely,
Mark R. Crosby
Crosby & Higgins LLP
Detection rates:
- complaint.doc - Downloader.Lapurd - Result: 22/39 (56.42%)
- complaint_docs.pdf - Trojan-Clicker.Win32.Cycler.odn - Result: 27/42 (64.29%)
Samples phone back to:
- 121.14.149.132 /fwq/indux.php?U=RANDOM_DATA - AS4134, CHINA-TELECOM China Telecom
- 121.14.149.132 /hia12/ter.php?u=UserName&c=COMPUTERNAME&v=RANDOM_DATA
Active C&C administration panel at: 121.14.149.132 /hia12/sca.php - returns "SSL ONLY.. USE HTTPS"
Spamvertised domains involved in the campaign:
- touchstoneadvisorsonline.com /lawsuit/suit_documents.doc - 72.167.232.84
- marcuslawcenter.com /s/r439875.doc - 173.201.145.1 - Email: info@tedvernon.com
- danilison.com/suit /complaint.doc - 72.167.183.15
- daughtersofcolumbus.com /suit/complaint.doc - ACTIVE - 173.201.97.1 - Email: charlenej@stny.rr.com
The same phone back IP was also profiled in another campaign from January, 2010.
Clearly, the cybercriminals behind it are aiming to stay beneath the radar, by relying on not so well profiled malicious infrastructure, combined with newly introduced campaigns in an attempt to make it harder to establish historical connections (Read about the "aggregate-and-forget" concept in respect to botnets/malware) between the rest of the their malicious activities.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Monday, March 29, 2010
Copyright Lawsuit Filed Against You Themed Malware Campaign
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment