Subjects like these:
- Hearing of your case in Court No#
- Notice of appearance
- Notice of appearance in court No#
- Notice to Appear
- Notice to Appear in Court
- Notice to appear in court No#
- Urgent court notice
- Urgent court Notice No#
(click to enlarge)
As normal, the spammers for these "Court Appearance" spam campaigns have just grabbed an innocent law firm to imitate. No indication of any real problem at Green Winick, but I sure wish one or more of these abused law firms would step up and file a "John Doe" lawsuit against these spammers so we could get some civil discovery going on!
These are the same criminals who have Previously imitated other law firms including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on! Let's go get these spammers and the malware authors that pay them!
We've seen 88 destination hosts between July 10th and this morning (list below) but it is likely there are many more!
When malware spammers use malicious links in their email instead of attachments, they tend to have a much better success rate if they deliver unique URLs for every recipient. That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content.
Four patterns in the path portion of the URL are better indicators as we believe there will be MANY more destination hosts.
- tmp/api/…STUFF…=/notice
- components/api/…STUFF…=/notice
- wp-content/api/…STUFF…=/notice
- capitulo/components/api/…STUFF...=/notice
http:// arhiconigroup.com / wp-content / api / pwCYg4Ac5gk0WlQIVFEkRSPGL2E7vZhP8Qh4LMGbbAk= /notice
(to protect the spam donor, the pwCYg... string above has been slightly altered. If you want to work on de-coding, let me know and I'm happy to provide a couple hundred non-altered strings.)
Just like with last week's E-Z Pass spam campaign, visiting the destination website results in a uniquely geo-coded drop .zip file that contains a .exe file.
As an example, when downloading from my home in Birmingham Alabama where my zip code is 35242, the copy I received was named:
Notice_Birmingham_35242.zip
which contained
Notice_Birmingham_35242.exe, which is icon'ed in such a way that it appears to be a Microsoft Word document.
The MD5 of my '.exe' was: 5c255479cb9283fea75284c68afeb7d4
The VirusTotal report for my .exe is here:
VirusTotal Report (7 of 53 detects)
Extra credit points to Kaspersky and Norman for useful and accurate naming !
Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP
Each of the 88 destination websites that we observed was likely compromised to host the malware. We do not believe these are necessarily "Bad Websites" but they either have a vulnerability or have had the webmaster credentials stolen by criminals.
If these are YOUR website - look for one of those directories I mentioned ...
/tmp/api/
/components/api/
/wp-content/api/
/capitulo/components/api/
www.metcalfplumbing.com
www.mikevanhattum.nl
www.mieszkaniaradomsko.pl
www.millionairemakeovertour.com
www.mkefalas.com
www.moldovatourism.ro
www.mobitrove.com
www.modultyp.com
www.mommyabc.com
www.monsterscalper.com
www.myconcilium.de
www.nellalongari.com
www.northsidecardetailers.com.au
www.parasitose.de
www.paulruminski.eu
www.petitecoach.com
www.phasebooks.net
www.plr-content.com
www.profimercadeo.com
www.propertyumbrellablueprint.com
www.proviewhomeservices.com
www.puntanews.com.uy
www.qifc.ir
www.rado-adventures.com
www.rantandraveweddingplanning.com
www.registrosakasicos.es
www.rimaconsulting.com
www.romiko.pl
www.saffronelectronics.co.uk
www.sasregion.com
www.saxonthewall.com
www.sealscandinavia.se
www.stkatharinedrexel.org
www.tecza.org
www.theanimationacademy.com
www.thehitekgroup.com
www.tusoco.com
www.urmasphoto.com
www.vicmy.net
www.viscom-online.com
www.vtretailers.com
www.warp.org.pl
www.webelonghere.ca
www.weihnachten-total.de
www.wesele.eu
www.whistlereh.com
www.wicta.nl
www.widitec.com.br
www.wonderlandinteractive.dk
www.wpprophet.com
www.xin8.org
www.zabytkowe.net
www.zeitgeistportugal.org
www.zmianywpodatkach.pl
www.znamsiebie.pl
www.zuidoost-brabant.nl
www.zs1grodzisk.pl
yourmentoraffiliatemarketing.com
atenea.edu.ec
comopuedoblanquearmisdientes.com
arhiconigroup.com
chris-coupe.com
drnancycooper.com
ian-mcconnell.com
izkigolf.com
kalemaquil.com
kingdommessengernetwork.com
Hello Everybody,
ReplyDeleteMy name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of $250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.