Post holiday season spammers sending out fake court notices to panic recipients


The Dell Sonicwall Threats Research team have received a massive amount of virus infected spam over the past week, which appear to be from Court Clerks claiming recipients must appear in court on a specified date. Spammers are spreading spam under the guise of prestigious law firms such as Latham Watkins, Perkins Coie, Baker Botts, Hogan Lovells,etc.

Infection Cycle:

It creates the following text file at the location %TEMP%Plaint Note_06_01_2014_document_us.txt:

It creates a copy of itself into the following directory:

  • %APPDATA%Localhogvbjma.exe [Detected as GAV: Kuluoz.D_13 (Trojan)]

The Trojan contains the following anti-debugging and anti-analysis checks:

  • Inspects the registry for the presence of virtual environments by looking for strings such as “Virtual”, “Vbox”, “VMware”
  • Checks for the presence of analysis tools such as Wireshark, IPTools, Iris – Version 5.59, Process Monitor, Process Explorer, Process Hacker.
  • We observed the following project strings during our analysis:

    • %USER_PROFILE%DocumentsSysIQUAloader_1.4 sloader_v4loader_v3Releaseloader_v3.pdb
    • %USER_PROFILE%DocumentsSysIQUAloader_1.4 sloader_v4loader_v3Releasedll.pdb

    Below are some of the common email subjects that were observed from this spam wave:

        #Hearing of your case in Court N#0418-175
        #Hearing of your case in Court NO8142-534
        #Notice of appearance in court Order 0289
        #Urgent court notice Order (number)
        Court attendance notification #No(number)
        Court notification No3700
        Hearing of your case in Court ID4061
        Hearing of your case in Court NR#9256
        Hearing of your case in Court No#8925
        Notice of appearance in court NR#(number)
        Notice to appear in court No#1966
        Urgent court notice ID(number)
        Urgent court notice NR#61018

    The e-mails have almost similar content in the body which claims you need to bring all documents and witnesses. Later versions mention pretrial notice and being a defendant for something like illegal software use:

    These emails are not real and they do not come from law firms or court clerks.These fake court notices are designed to panic recipients into opening the attached file without caution. The attachments are also named in a specific way to trick the recipients. Here are few of the attachment names:

    • Plaint

    Upon opening the attachments we observed a malicious executable with Microsoft Word icon. Those who fall for the trick believe that this is a real notice coming from the law firm and open the exe file inside.

    We have observed a high number of these spam emails over the last few days, some numbers are as shown below:

    The following HeatMap shows the distribution of this attack:

    We have observed a large number of hits over the last few days for this spam campaign and its still active as seen below:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Kuluoz.D_6 (Trojan)
    • GAV: Kuluoz.D_7 (Trojan)
    • GAV: Kuluoz.D_8 (Trojan)
    • GAV: Kuluoz.D_10 (Trojan)
    • GAV: Kuluoz.D_11 (Trojan)
    • GAV: Kuluoz.D_12 (Trojan)
    • GAV: Kuluoz.D_13 (Trojan)

    Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.