Mal/RtfExe-A: A bogus legal email campaign “Complaint filled against you.”

A blog reader has gotten in-touch with us asking about a threat he had received that had evaded the email filters on his web-email account.

The email with a subject “Complaint filled against you.” has a body of:

March 25, 2010
Marcus Law Center
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern:

On the link bellow is a copy of the lawsuit that we filed against you in court on March 15, 2010.

The case number is 3478254. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Danilison Inc is a victim of.
http://www DOT marcuslawcenter DOT com/[removed]/[removed].doc
Danilison Inc has proof of multiple Copyright Law violations that they wish to present in court on April 15th, 2010.

Sincerely,

Marcus Law Center
Marcus Law Center LLP

Complaint filed email

A pretty convincing email?

  • You don’t spell “filed” as “filled”
  • You don’t spell “Pretrial” as “Pretrail”
  • You don’t spell “infringement” as “infrigement”
  • The only names are the law firm and the client. The recipient is not named!
  • The link looks legitimate but you would hope that confidential information would be protected?

If you were to download the link (blocked by the WS1000) then you would received an RTF file that contains a supposed PDF called “doc.pdf” that is actually a malicious EXE.

We detect the RTF as Mal/RtfExe-A.

UPDATE:

After some more digging I have seen other Law firms being exploited, for example:

March 20, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern:

On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.
Currently the Pretrail Conference is scheduled for April 10th, 2010 at 9:30 A.M. in courtroom #33.
The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Danilison Inc is a victim of.
http://danilison DOT com/…/XXXXXXXXX.doc
Danilison Inc has proof of multiple Copyright Law violations that they wish to present in court on April 10th, 2010.

Sincerely,

Mark R. Crosby
Crosby & Higgins LLP

With several different subjects:

  • Lawsuit initiated against you.
  • Please read.
  • Complaint filled against you.

The dropped EXE would have been detected by Sophos as Sus/UnkPack-C and with HIPS/FileMod-001. The particular file is now detected as Troj/Resdro-C a member of the Mal/Resdro-A family of malware.