Threat Outbreak Alert: Fake Secure Message Delivery Email Messages on August 18, 2014

2013-11-20T13:54:24
ID CISCO-THREAT-31830
Type ciscothreats
Reporter Cisco
Modified 2014-08-19T12:36:21

Description

Medium

Alert ID:

31830

First Published:

2013 November 20 13:54 GMT

Last Updated:

2014 August 19 12:36 GMT

Version:

7

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a secure message for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID7942 and RuleID4626KVR) may contain the following files:

> Secure_Message.zip
Secure_Message.exe

invoice.zip
invoice_658293759097294283823_93856978234729.oi.pdf.exe
Swift TT.zip
Swift TT.scr
BANK SWIFT.zip
BANK SWIFT.exe
2014_06rechnung_52249826995793_sign.zip
Rechnung_25_14_06_8200630274520031_telekom_deutschland_GmbH_9281001.exe
BANK SWIFT MT 103.zip
mt111.exe
Slip Confirm.zip
Slip Confirm.exe
Transfer‮fdp.zip
TRANSF~1.EXE

The Secure_Message.exe file in the Secure_Message.zip attachment has a file size of 13,824 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x3B699A22A8A3706C9521E63F9F598B

The invoice_658293759097294283823_93856978234729.oi.pdf.exe file in the invoice.zip attachment has a file size of 90,795 bytes. The MD5 checksum is the following string: 0x5F694ED920503E2AF93E3094C612AF48

The Swift TT.scr file in the _Swift TT.zip _attachment has a file size of 485,936 bytes. The MD5 checksum is the following string: 0xBEC0B30DC38C31E1124437C1437F90D6

The_ BANK SWIFT.exe_ file in the BANK SWIFT.zip attachment has a file size of 725,096 bytes. The MD5 checksum is the following string: 0x674674219C8B1DCD562BCAF14C278DC4

The Rechnung_25_14_06_8200630274520031_telekom_deutschland_GmbH_9281001.exe file in the 2014_06rechnung_52249826995793_sign.zip attachment has a file size of 132,096 bytes. The MD5 checksum is the following string: 0xCC5D51730DAED56D0D635921F7D84AC9

The_ mt111.exe file in the _BANK SWIFT MT 103.zip attachment has a file size of 848,575 bytes. The MD5 checksum is the following string: 0x2E28C62D855A1C7872AFE7022398AB3A

The Slip Confirm.exe file in the Slip Confirm.zip attachment has a file size of 572,928 bytes. The MD5 checksum is the following string: 0xE58D8308034CD28F9101F05A02188A23

The TRANSF~1.EXE file in the Transfer‮fdp.zip attachment has a file size of 513,536 bytes. The MD5 checksum is the following string: 0x5DC3A4DC9F031A8049FA196ED9FCC049

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: You have received a secure message

Message Body:

KeyBank SecureMessage
Encryption
You have received a secure message
Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file
first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.cisco.com to receive a mobile login URL.
First time users - will need to register after opening the attachment.
Help - hxxps://mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - hxxps://mailsafe.keybank.com/websafe/about
Sincerely,
Doris_Ritter

Or

> Message Body:

Hello,
Just to notify you that we have made a payment to your company account for USD22,000.00 as instructed by our customer. If delayed in receiving the payment, kindly notify us for further actions.
Attached is the payment swift copy for your reference.
Please open Zip and click to RUN download, do check if your account details is writing correctly.
Please confirm receipt and feel free to contact me if anything.
Thanks and best regards,

Or

> Message Body:

Dear Sir/Madam
Please find the attach copy as instructed the total amount was transferred to your account and please confirm back the invoice copy as
reference via office email as soon as you get this.
Please reply only through our new email address.
Thanks and regards,
Financial Accountant

Or

> Subject: Ihre Telekom Mobilfunk RechnungOnline Monat Juni 2014

Message Body:

Telekom - erleben, was verbindet.
Ihre Rechnung für Juni 2014
Sehr geehrte Damen und Herren,
mit diesem Schreiben erhalten Sie eine Benachrichtigung über Ihre aktuelle Rechnung. Die zur Zahlung fällige Summe für Juni 2014 beläuft sich auf: 325,86 Euro.
Im Anhang finden Sie die gewünschten Dokumente zu Ihrer Mobilfunk RechnungOnline für Juni 2014.
Dies ist eine im automatischen Modus generierte E-Mail. Bitte nicht darauf antworten.
Mit freundlichen Grüßen
Ralf Hoßbach

Or

> Message Body:

Good Day,
Herewith I sent you a copy of Bank Swift copy MT 103. Payment against the proforma invoice.
Please check with your bank and confirm date of shipment.
Thank you.
Best Regards,
Mr. Abdul Nasser Sokariah

Or

> Subject: Transfer balance payment

Message Body:

Hello ,
Kindly find attached the outward remittance slip of the payment that was transferred to your account and let us know when the shipment will commence.
Regards.
We Sincerely Hope To Hear From You Soon
Thanks & Regards
Mr Hasbian.
Sales Manager

> > Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Call

Send SMS

Add to Skype

You'll need Skype CreditFree via Skype

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    7 | Cisco Security has detected significant activity on August 18, 2014. | | 2014-August-19 12:36 GMT
    6 | Cisco Security has detected significant activity on August 14, 2014. | | 2014-August-14 18:32 GMT
    5 | Cisco Security has detected significant activity on June 25, 2014. | | 2014-June-26 11:57 GMT
    4 | Cisco Security has detected significant activity on May 28, 2014. | | 2014-May-29 12:57 GMT
    3 | Cisco Security has detected significant activity on April 16, 2014. | | 2014-April-17 13:41 GMT
    2 | Cisco Security has detected significant activity on December 13, 2013. | | 2013-December-16 14:55 GMT
    1 | Cisco Security has detected significant activity on November 19, 2013. | | 2013-November-20 13:54 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products