Having just received a copy of what appears to be the last active domain involved in last week’s “Copyright Lawsuit filed against you” themed malware campaign, it’s time to conduct a brief assessment of its inner workings.
Subject used: Copyright Lawsuit filed against you
Sample message: March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013
To Whom It May Concern:
On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.
Mark R. Crosby
Crosby & Higgins LLP
– complaint.doc – Downloader.Lapurd – Result: 22/39 (56.42%)
– complaint_docs.pdf – Trojan-Clicker.Win32.Cycler.odn – Result: 27/42 (64.29%)
Samples phone back to:
– 22.214.171.124 /fwq/indux.php?U=RANDOM_DATA – AS4134, CHINA-TELECOM China Telecom
– 126.96.36.199 /hia12/ter.php?u=UserName&c=COMPUTERNAME&v=RANDOM_DATA
Active C&C administration panel at: 188.8.131.52 /hia12/sca.php – returns “SSL ONLY.. USE HTTPS“
Spamvertised domains involved in the campaign:
– touchstoneadvisorsonline.com /lawsuit/suit_documents.doc – 184.108.40.206
– marcuslawcenter.com /s/r439875.doc – 220.127.116.11 – Email: email@example.com
– danilison.com/suit /complaint.doc – 18.104.22.168
– daughtersofcolumbus.com /suit/complaint.doc – ACTIVE – 22.214.171.124 – Email: firstname.lastname@example.org
The same phone back IP was also profiled in another campaign from January, 2010.
Clearly, the cybercriminals behind it are aiming to stay beneath the radar, by relying on not so well profiled malicious infrastructure, combined with newly introduced campaigns in an attempt to make it harder to establish historical connections (Read about the “aggregate-and-forget” concept in respect to botnets/malware) between the rest of the their malicious activities.
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.