NEWS FROM THE LAB - Thursday, March 25, 2010

Fake Lawsuit Notification Attack Posted by Sean @ 11:04 GMT

A few of days ago, we encountered an e-mail with a malicious RTF attachment. It was sent with a supposed lawsuit notification message.

The e-mail didn't mention any company by name and took a shotgun, rather than targeted, approach.

Today, a security blogger forwarded us (and others) his version of the e-mail:

To Whom It May Concern: On the link bellow is a copy of the lawsuit that we filed against you in<br />court on March 15, 2010. Currently the Pretrail Conference is scheduled for April 15th,<br />2010 at 10:00 A.M. in courtroom #12. The case number is 3478254. The reason the lawsuit was filed<br />was due to a completely inadequate response from your company for copyright infrigement that our client<br />Danilison Inc is a victim of. www.marcuslawcenter.com

At this point, it appears that the attachment has been replaced by hyperlink pointing to the Marcus Law Center.

It is difficult to determine whether or not the MLC site is compromised or just completely bogus. Their Our Firm page text borrows heavily from a New York lawyer's site, but that could just be a case of "honest" plagiarism.

In any case, our browsing protection feature is now blocking the sub-directory hosting the malicious file as unsafe.

The RTF file includes an embedded object that acts as a trojan dropper (Trojan-Dropper:W32/Agent.DIOY) and it drops a downloader (Trojan-Downloader:W32/Lapurd.D), which then attempts to connect to a server located in Southern China.

The earlier attachment that we saw also attempted to connect to a server in China.

Updated to add: SANS diary reports that a number of .edu sites have also received a similar message.

The domain, touchstoneadvisorsonline.com, is hosting the same RTF (.doc) file.