Subjects like these:
- Hearing of your case in Court No#
- Notice of appearance
- Notice of appearance in court No#
- Notice to Appear
- Notice to Appear in Court
- Notice to appear in court No#
- Urgent court notice
- Urgent court Notice No#
(click to enlarge)
As normal, the spammers for these "Court Appearance" spam campaigns have just grabbed an innocent law firm to imitate. No indication of any real problem at Green Winick, but I sure wish one or more of these abused law firms would step up and file a "John Doe" lawsuit against these spammers so we could get some civil discovery going on!
These are the same criminals who have Previously imitated other law firms including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on! Let's go get these spammers and the malware authors that pay them!
We've seen 88 destination hosts between July 10th and this morning (list below) but it is likely there are many more!
When malware spammers use malicious links in their email instead of attachments, they tend to have a much better success rate if they deliver unique URLs for every recipient. That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content.
Four patterns in the path portion of the URL are better indicators as we believe there will be MANY more destination hosts.
- tmp/api/…STUFF…=/notice
- components/api/…STUFF…=/notice
- wp-content/api/…STUFF…=/notice
- capitulo/components/api/…STUFF...=/notice
http:// arhiconigroup.com / wp-content / api / pwCYg4Ac5gk0WlQIVFEkRSPGL2E7vZhP8Qh4LMGbbAk= /notice
(to protect the spam donor, the pwCYg... string above has been slightly altered. If you want to work on de-coding, let me know and I'm happy to provide a couple hundred non-altered strings.)
Just like with last week's E-Z Pass spam campaign, visiting the destination website results in a uniquely geo-coded drop .zip file that contains a .exe file.
As an example, when downloading from my home in Birmingham Alabama where my zip code is 35242, the copy I received was named:
Notice_Birmingham_35242.zip
which contained
Notice_Birmingham_35242.exe, which is icon'ed in such a way that it appears to be a Microsoft Word document.
The MD5 of my '.exe' was: 5c255479cb9283fea75284c68afeb7d4
The VirusTotal report for my .exe is here:
VirusTotal Report (7 of 53 detects)
Extra credit points to Kaspersky and Norman for useful and accurate naming !
Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP
Each of the 88 destination websites that we observed was likely compromised to host the malware. We do not believe these are necessarily "Bad Websites" but they either have a vulnerability or have had the webmaster credentials stolen by criminals.
If these are YOUR website - look for one of those directories I mentioned ...
/tmp/api/
/components/api/
/wp-content/api/
/capitulo/components/api/
www.metcalfplumbing.com www.mikevanhattum.nl www.mieszkaniaradomsko.pl www.millionairemakeovertour.com www.mkefalas.com www.moldovatourism.ro www.mobitrove.com www.modultyp.com www.mommyabc.com www.monsterscalper.com www.myconcilium.de www.nellalongari.com www.northsidecardetailers.com.au www.parasitose.de www.paulruminski.eu www.petitecoach.com www.phasebooks.net www.plr-content.com www.profimercadeo.com www.propertyumbrellablueprint.com www.proviewhomeservices.com www.puntanews.com.uy www.qifc.ir www.rado-adventures.com www.rantandraveweddingplanning.com www.registrosakasicos.es www.rimaconsulting.com www.romiko.pl www.saffronelectronics.co.uk www.sasregion.com www.saxonthewall.com www.sealscandinavia.se www.stkatharinedrexel.org www.tecza.org www.theanimationacademy.com www.thehitekgroup.com www.tusoco.com www.urmasphoto.com www.vicmy.net www.viscom-online.com www.vtretailers.com www.warp.org.pl www.webelonghere.ca www.weihnachten-total.de www.wesele.eu www.whistlereh.com www.wicta.nl www.widitec.com.br www.wonderlandinteractive.dk www.wpprophet.com www.xin8.org www.zabytkowe.net www.zeitgeistportugal.org www.zmianywpodatkach.pl www.znamsiebie.pl www.zuidoost-brabant.nl www.zs1grodzisk.pl yourmentoraffiliatemarketing.com atenea.edu.ec comopuedoblanquearmisdientes.com arhiconigroup.com chris-coupe.com drnancycooper.com ian-mcconnell.com izkigolf.com kalemaquil.com kingdommessengernetwork.com
Posts
Another compromised website: http:www.akerwade.com
ReplyDeleteAmother vector website (that may have caught on already)
ReplyDeletewellfedrealtor.com
How can I stop receiving this emails?
ReplyDeleteThank you Quaestor and Gregory! Great data!
ReplyDeleteanother compromised: sofialobatophotography.com
ReplyDeleteAnother site: canyoninsulation.com
ReplyDeleteanother site theonlineguru.com
ReplyDeletepoor BROWN Winick law firm of Iowa: brownwinick dot com
ReplyDeleteGreat information, Gary. Of all the industries you'd expect to get litigious over this kind of things, it's Law firms. In my experience, Law firms are the worst at implementing technology (especially security). So I guess they just don't care. Sounds like negligence to me (but I'm no lawyer!)
ReplyDeleteKeep up the good work.