Wednesday, June 15, 2011

May-June 2011 Trojan Taidoor "Louisvilleheartsurgery.com" phishing campaign

These posts all contain the same trojan but they were created not the sake of samples. They are to show how compromised USA servers are used for a stream of phishing emails. The first was noticed on May 31, 2011 and the last was today - June 13, 2011.


mail.louisvilleheartsurgery.com 66.147.51.202 appears to be a misconfigured mail server allowing relay but only forensic examination of the server can provide more details. If you are a patient and are concerned about your records, please note that the mail server is not the same as a database or a data server and patient records are most likely on a different server and not affected. Also, these attackers are not after the louisvilleheartsurgery.com data, they usually use the mail service to reach their targets elsewhere. The phishing campaign, judging by the targets, topics, and trojans used, is targeting researchers and experts working on Chinese and Taiwan issues.

CLICK HERE SEE ALL MESSAGES RELATED TO THE PHISHING CAMPAIGN
I am posting only 5 messages as an example but there were others
The servers is question are
Mail relay
66.147.51.202
Hostname:    mail.louisvilleheartsurgery.com
ISP:    NuVox Communications
Organization:    UNIVERSITY CARDIOTHORACIC SURGICAL ASSOCIATES, PSC
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
Blacklist:   
Geolocation Information

Country:    United States us flag
State/Region:    Kentucky
City:    Louisville


Command and Control (CnC) #1
99.1.23.71
Hostname:    99.1.23.71
ISP:    SBC Internet Services
Organization:    SUN COUNTRY MEDICAL EQUIPMENT
Proxy:    None detected
Type:    Corporate
State/Region:    Texas
City:    El Paso


Command and Control (CnC) #2

65.87.199.102
Hostname:    vortex.gatortech.com
ISP:    Synergy Networks
Organization:    Synergy Networks
Proxy:    None detected
Type:    Corporate
State/Region:    Florida
City:    Naples


June 15 Update: There were additional messages received yesterday with CVE-2009-0927 PDF.

Download from here, contact me if you need the password


Received: (qmail 11564 invoked from network); 14 Jun 2011 07:10:51 -0000
Received: from mail.louisvilleheartsurgery.com (HELO ucsamd.com) (66.147.51.202)
  byxxxxxxxxxxxxxxxxxxxxx 14 Jun 2011 07:10:51 -0000
Received: from UCSADC1 ([192.168.20.2]) by ucsamd.com with Microsoft SMTPSVC(6.0.3790.4675);
     Tue, 14 Jun 2011 03:10:50 -0400
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
 
X-Identity-Key: id1
Message-ID: <4DF70468.5090108@hotmail.com>
Date: Tue, 14 Jun 2011 03:10:50 -0400
From: "Miss Yang" <yangww@gmail.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
Subject: Speaker's Program Invitation
Content-Type: multipart/mixed;
    boundary="------------

060509090906080505060803"
To:xxxxxxxxxxxxxxxxxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
Return-Path: yangww@gmail.com
X-OriginalArrivalTime: 14 Jun 2011 07:10:50.0979 (UTC) FILETIME=[31561B30:01CC2A62]
JS from the PDF  is on the left.

 Speaker's Program Invitation_Emily Cheng.pdf
Result: 18 /42 (42.9%)

Avast5 5.0.677.0 2011.06.14 JS:Pdfka-gen
AVG 10.0.0.1190 2011.06.14 Script/Exploit
BitDefender 7.2 2011.06.14 Exploit.PDF-JS.Gen
ClamAV 0.97.0.0 2011.06.14 PUA.Script.PDF.EmbeddedJavaScript
Commtouch 5.3.2.6 2011.06.14 PDF/Obfusc.M!Camelot
F-Prot 4.6.2.117 2011.06.14 JS/ShellCode.S.gen
GData 22 2011.06.14 Exploit.PDF-JS.Gen
Kaspersky 9.0.0.837 2011.06.14 Exploit.JS.Pdfka.dqp
Microsoft 1.6903 2011.06.13 Exploit:Win32/Pdfdrop.A
NOD32 6207 2011.06.14 PDF/Exploit.CVE-2009-0927.A
Norman 6.07.10 2011.06.14 PDF/Obfuscated.JS
nProtect 2011-06-14.01 2011.06.14 Exploit.PDF-JS.Gen
Panda 10.0.3.5 2011.06.14 Exploit/PDF.Gen.B
TrendMicro-HouseCall 9.200.0.1012 2011.06.14 Expl_ShellCodeSM
e4cc838a5cde386dda97e4cce6cd4043

No comments:

Post a Comment