"Copyright Lawsuit filed against you" - SANS Internet Storm Center

"Copyright Lawsuit filed against you"
Overview An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt. It looks something similar to: March 24, 2010 Crosby & Higgins 350 Broadway, Suite 300 New York, NY 10013 To Whom It May Concern: On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010. Sincerely, Mark R. Crosby Crosby & Higgins LLP The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms. If a user clicks on the link and opens the document it will attempt to download additional payload. Initial Detection Currently only a few AV solutions detect the initial document: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837 Behavioral Notes Following Daniel's process (http://isc.sans.org/diary.html?storyid=6703) one could extract the executable and determine what it's up to. It appears to reach out to 121.14.149.132:80 to make a request similar to: GET /fwq/indux.php?U=1234@1014@1@0@0@c791d4a4a147b2cd1843fe4f7f27f3a1df63f95daf0c3ddcd5f1b1e4538fd803	Kevin Liston 292 Posts ISC Handler
Reply Subscribe	Mar 25th 2010 8 years ago
We saw this a couple of weeks ago. It was targeted directly at one of our upper management. We quarantine all office documents (among other things) in our spam filter and they must be manually approved by an IT staff member. A bit labor intensive yes, but it ensures that crap like this never hits the end user's Inbox. I suspect it has saved our bacon more than once. This particular email was caught purely on the attachment filter and was not flagged as a virus by our spam filter.	Joel B 8 Posts
Reply Quote	Mar 25th 2010 8 years ago
Gotta love the spelling of Pretrial (Pretrail). Dead give away that no lawyer wrote this email.	HackDefendr 65 Posts
Reply Quote	Mar 25th 2010 8 years ago
@Joel B That must be why they moved to using a URL instead of the attachment. You get more intel on your victims that way and can sometimes bypass centralized/enterprise controls that way.	Kevin Liston 292 Posts ISC Handler
Reply Quote	Mar 25th 2010 8 years ago
I received this a week or two ago also. The text of the email was a jpeg.	Kevin Liston 5 Posts
Reply Quote	Mar 25th 2010 8 years ago
We have received an almost identical mail (different date, courtroom number, client and URL though strangely the same case number :) ) which contains a similar file (executable renamed to .pdf embedded in a .rtf renamed to .doc). I noticed that it has a different md5 so is probably a variation: http://www.virustotal.com/analisis/0d7e491efa072d6feeecc7a97ba7c341930107ce0804f94b9fcb0347bd9969ef-1269548498 Prod me if you want samples, etc.	Kevin Liston 1 Posts
Reply Quote	Mar 26th 2010 8 years ago

Overview

Initial Detection

Behavioral Notes