Sponsored by..

Tuesday 24 March 2015

Malware spam: "Notice to Appear" / "Notice to appear in Court #0000310657"

These two emails come with a malicious attachment:

From:    County Court [lester.hicks@whw0095.whservidor.com]
Date:    24 March 2015 at 16:45
Subject:    AERO, Notice to Appear

This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Lester Hicks,
Court Secretary.


-------------

From:    District Court [cody.bowman@p3nw8sh177.shr.prod.phx3.secureserver.net]
Date:    24 March 2015 at 16:44
Subject:    AERO, Notice to appear in Court #0000310657

Dear Aero,

This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Cody Bowman,
District Clerk.

In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57] [pastebin] [deobfuscated] and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57] [pastebin] [deobfuscated] respectively.

These scripts attempt to download malicious code from the following sites:

pitfaa.nidhog.com
ilarf.net
gurutravel.co.nz
lawyermyowin.com
www.lead.com.co

Details in the download locations vary, but are in the format:

ilarf.net/document.php?rnd=1161&id=
gurutravel.co.nz/document.php?rnd=3022&id=

This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57 and 4/56. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything.

The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports [1] [2] [3] [4] [5] [6] indicate badness on at least the following IPs:

176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25


I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24.

I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus software.

MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee


2 comments:

Unknown said...

What do you do if you have clicked on the zip folder??

Conrad Longmore said...

@Unknown - if you have a Windows PC *and* you ran the executable file contained within the ZIP file, then you probably have a virus. So, you will need to clean it off with anti-virus software (it may take a few days for the AV software to get updated to deal with this) but probably more importantly on a CLEAN device you should start changing passwords.. this sort of malware can harvest saved passwords from your browser. So, if you've saved webmail, PayPal, banking passwords then these are the highest risk.