Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ciscothreatsCiscoCISCO-THREAT-29868
HistoryJul 01, 2013 - 6:53 p.m.

Threat Outbreak Alert: Fake Product Services Specification Request Email Messages on August 29, 2013

2013-07-0118:53:09
Cisco
tools.cisco.com
10
JSON

Medium

Alert ID:

29868

First Published:

2013 July 1 18:53 GMT

Last Updated:

2013 August 29 12:36 GMT

Version:

9

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a business specification and outlines for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID6381 and RuleID6381KVR) may contain the following files:

> specification.zip
specification.exe
girl.zip
girl.exe
Letter of Authorization.zip
Osee.exe
Gift.zip
Gift.exe
SecureMessage.zip
_SecureMessage.exe
_PaymentAdvice.zip
PaymentAdvice.exe
P-O.zip
done.exe

The specification.exe file in the specification.zip attachment has a file size of 346,704 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xC8082BCCC2F29B41D029208ABC19991B

The girl.exe file in the girl.zip attachment has a file size of 1,003,520 bytes. The MD5 checksum is the following string: 0xD3108DCD671A3089CC63CF7231E7B9E3

The Osee.exe file in the Letter of Authorization.zip attachment has a file size of 404,480 bytes. The MD5 checksum is the following string: 0x29F91AEBAC55521E58F239981350049C

The Gift.exe file in the Gift.zip attachment has a file size of 123,018 bytes. The MD5 checksum is the following string: 0xAAD613D9226AD3274E92093360D6AB9A

A variant of the specification.exe file in the specification.zip attachment has a file size of 812,544 bytes. The MD5 checksum is the following string: 0x4D1E7EA6CB093415C0129FD7CE040786

The SecureMessage.exe file in the SecureMessage.zip attachment has a file size of 118,784 bytes. The MD5 checksum is the following string: 0xC645DF9F57E6B7122B8B61EF63ABD431

A third variant of the specification.exe file in the specification.zip attachment has a file size of 696,320 bytes. The MD5 checksum is the following string: 0x0B37DCE785F8E465F5D15B6AD8325DF2

A variant of the SecureMessage.exe file in the SecureMessage.zip attachment has a file size of 121,856 bytes. The MD5 checksum is the following string: 0xAD474DB836F43DF6F5DFA3E6D627FB6A

The PaymentAdvice.exe file in the PaymentAdvice.zip attachment has a file size of 115,712 bytes. The MD5 checksum is the following string: 0xBAD273225554C8E82AC293EECF1882FE

The done.exe file in the P-O.zip attachment has a file size of 186,880 bytes. The MD5 checksum is the following string: 0xB79D1EC0F5ADFF48F84904AE95D2B4FC

A fourth variant of the specification.exe file in the specification.zip attachment has a file size of 732,160 bytes. The MD5 checksum is the following string: 0xC8B6FE50220917E147665F0465D1FB13

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: Business Specification

Message Body:

**We are a group of company based in Louisiana, United State of America and it is our pleasure to introduce our business to you. We went through your profile online and it caught our mind to send you a copy of our business outlines and specifications in a pdf format, which you can read by downloading the attached files.
We are interested in your business and services and this is why we sent you some of our specific need in your business.
You can reach us by calling or texting our contact number below to discuss the business over the phone if need be.
Thanks and hoping to read and doing business with you soon.
Stephen A Seedorf **

Or

> Subject: girl

Or

> Message Body:

**Dear Sir,
Today, As confirmed advised by our Bank. I have attached the authorization letter for you to sign, so we could
proceed with the payment as scheduled. Once we get the signed copy of letter attached, I will send you copy of
payment once its ready.
Regards,
Mr Jafar Ushman
Sunshine PTE FZE **

Or

> Message Body:

Australian Taxation Office logo
Dear e-Tax user,
Attached is your payment Slip for your 2012 Tax refunds.
Download to view if we got your correct account information so your payment won’t be delayed.
Australia Taxation Office.

Or

> Subject: Download Your Tax Refund Payment Report!

Message Body:

**Dear e-Tax user,
Attached is your payment Slip for your 2012 Tax refunds.
Download to view if we got your correct account information so your payment won’t be delayed.
Australia Taxation Office.
**

Or

> Subject: IMPORTANT - NatWest Secure Message

Message Body:

**You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 1055.
First time users - will need to register after opening the attachment.
About Email Encryption - hxxp://supportcentre.natwest.com/app/answers/detail/a_id/1671/kw/secure%20message **

Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

* Version Description Section Date
9 Cisco Security has detected significant activity on August 29, 2013. 2013-August-29 12:36 GMT
8 Cisco Security has detected significant activity on August 27, 2013.

| | 2013-August-27 12:29 GMT
7 | Cisco Security has detected significant activity on August 13, 2013.

| | 2013-August-13 16:01 GMT
6 | Cisco Security has detected significant activity on August 6, 2013.

| | 2013-August-08 19:42 GMT
5 | Cisco Security has detected significant activity on July 30, 2013.

| | 2013-July-31 13:42 GMT
4 | Cisco Security has detected significant activity on July 22, 2013.

| | 2013-July-23 14:44 GMT
3 | Cisco Security has detected significant activity on July 11, 2013.

| | 2013-July-11 13:31 GMT
2 | Cisco Security has detected significant activity on July 2, 2013.

| | 2013-July-02 15:44 GMT
1 | Cisco Security has detected significant activity on June 30, 2013. | | 2013-July-01 18:53 GMT
Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products

JSON