May-June 2011 Trojan Taidoor "Louisvilleheartsurgery.com" phishing campaign

These posts all contain the same trojan but they were created not the sake of samples. They are to show how compromised USA servers are used for a stream of phishing emails. The first was noticed on May 31, 2011 and the last was today - June 13, 2011.


mail.louisvilleheartsurgery.com 66.147.51.202 appears to be a misconfigured mail server allowing relay but only forensic examination of the server can provide more details. If you are a patient and are concerned about your records, please note that the mail server is not the same as a database or a data server and patient records are most likely on a different server and not affected. Also, these attackers are not after the louisvilleheartsurgery.com data, they usually use the mail service to reach their targets elsewhere. The phishing campaign, judging by the targets, topics, and trojans used, is targeting researchers and experts working on Chinese and Taiwan issues.

Jun 13 CVE-2009-4324 PDF navy procurement.pdf from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

  General File Information

File  navy procurement.pdf
File Size  222903
MD5  DF0DE9AD9E5BF00A60F8DE3D37683C5B
Distribution  Email attachment

CLICK HERE SEE ALL OTHER PHISHING MESSAGES SENT VIA THAT SERVER


 The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.

Jun 1 CVE-2010-3333 DOC You are my King from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File You are my king.doc
File Size  58531 bytes
MD5  09D68EF693AC6B7D3ACF0DDFF0585543
Distribution  Email attachment


CLICK HERE SEE ALL OTHERS SENT VIA THAT SERVER


 The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

May 31 CVE-2010-3333 DOC President Obama's Speech.doc from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability 

  General File Information

File President Obama's Speech.doc
File Size 73891 bytes
MD5 35C33BBD97D7F5629D64153A1B3E71F1
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post)

See others

• Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor  
• May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor

May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File Q and A.doc
File Size 115755 bytes
MD5 46863c6078905dab6fd9c2a480e30ad0
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post) Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor