Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - "Copyright Lawsuit filed against you" InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

"Copyright Lawsuit filed against you"

Published: 2010-03-25
Last Updated: 2010-03-25 13:30:36 UTC
by Kevin Liston (Version: 1)
5 comment(s)

Overview

An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you."  We received a copy here and a number of .EDUs have reported it's receipt.  It looks something similar to:

March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern:

On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.
Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.
The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.

Sincerely,

Mark R. Crosby
Crosby & Higgins LLP

The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms.

If a user clicks on the link and opens the document it will attempt to download additional payload.

Initial Detection

Currently only a few AV solutions detect the initial document: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837

Behavioral Notes

Following Daniel's process (http://isc.sans.org/diary.html?storyid=6703) one could extract the executable and determine what it's up to.

It appears to reach out to 121.14.149.132:80 to make a request similar to:

GET /fwq/indux.php?U=1234@1014@1@0@0@c791d4a4a147b2cd1843fe4f7f27f3a1df63f95daf0c3ddcd5f1b1e4538fd803

 

Keywords: RTF
5 comment(s)
Diary Archives