Threat Outbreak Alert: Fake Secure Message Delivery Email Messages on August 18, 2014

2013-11-20T13:54:24

Description

Medium Alert ID: 31830 First Published: 2013 November 20 13:54 GMT Last Updated: 2014 August 19 12:36 GMT Version: 7 ## ![](http://www.cisco.com/c/dam/en_us/about/security/images/csc_child_pages/update-icon-alert.svg) Summary * Cisco Security has detected significant activity related to spam email messages that claim to contain a secure message for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the _.zip_ attachment contains a malicious _.exe_ file that, when executed, attempts to infect the system with malicious code. Email messages that are related to this threat (RuleID7942 and RuleID4626KVR) may contain the following files: > _Secure_Message.zip Secure_Message.exe_ _invoice.zip invoice_658293759097294283823_93856978234729.oi.pdf.exe Swift TT.zip Swift TT.scr BANK SWIFT.zip BANK SWIFT.exe 2014_06rechnung_52249826995793_sign.zip Rechnung_25_14_06_8200630274520031_telekom_deutschland_GmbH_9281001.exe BANK SWIFT MT 103.zip mt111.exe Slip Confirm.zip Slip Confirm.exe Transferâ€®fdp.zip TRANSF~1.EXE _ The _Secure_Message.exe_ file in the _Secure_Message.zip_ attachment has a file size of 13,824 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x3B699A22A8A3706C9521E63F9F598B The _invoice_658293759097294283823_93856978234729.oi.pdf.exe_ file in the _invoice.zip_ attachment has a file size of 90,795 bytes. The MD5 checksum is the following string: 0x5F694ED920503E2AF93E3094C612AF48 The _Swift TT.scr_ file in the _Swift TT.zip _attachment has a file size of 485,936 bytes. The MD5 checksum is the following string: 0xBEC0B30DC38C31E1124437C1437F90D6 The_ BANK SWIFT.exe_ file in the _BANK SWIFT.zip_ attachment has a file size of 725,096 bytes. The MD5 checksum is the following string: 0x674674219C8B1DCD562BCAF14C278DC4 The _Rechnung_25_14_06_8200630274520031_telekom_deutschland_GmbH_9281001.exe_ file in the _2014_06rechnung_52249826995793_sign.zip_ attachment has a file size of 132,096 bytes. The MD5 checksum is the following string: 0xCC5D51730DAED56D0D635921F7D84AC9 The_ mt111.exe _file in the _BANK SWIFT MT 103.zip_ attachment has a file size of 848,575 bytes. The MD5 checksum is the following string: 0x2E28C62D855A1C7872AFE7022398AB3A The _Slip Confirm.exe_ file in the _Slip Confirm.zip_ attachment has a file size of 572,928 bytes. The MD5 checksum is the following string: 0xE58D8308034CD28F9101F05A02188A23 The _TRANSF~1.EXE_ file in the _Transferâ€®fdp.zip_ attachment has a file size of 513,536 bytes. The MD5 checksum is the following string: 0x5DC3A4DC9F031A8049FA196ED9FCC049 The following text is a sample of the email message that is associated with this threat outbreak: > Subject: **You have received a secure message** Message Body: **KeyBank SecureMessage Encryption You have received a secure message Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.cisco.com to receive a mobile login URL. First time users - will need to register after opening the attachment. Help - hxxps://mailsafe.keybank.com/websafe/help?topic=RegEnvelope About IronPort Encryption - hxxps://mailsafe.keybank.com/websafe/about Sincerely, Doris_Ritter ** Or > Message Body: **Hello, Just to notify you that we have made a payment to your company account for USD22,000.00 as instructed by our customer. If delayed in receiving the payment, kindly notify us for further actions. Attached is the payment swift copy for your reference. Please open Zip and click to RUN download, do check if your account details is writing correctly. Please confirm receipt and feel free to contact me if anything. Thanks and best regards,** Or > Message Body: **Dear Sir/Madam Please find the attach copy as instructed the total amount was transferred to your account and please confirm back the invoice copy as reference via office email as soon as you get this. Please reply only through our new email address. Thanks and regards, Financial Accountant** Or > Subject: **Ihre Telekom Mobilfunk RechnungOnline Monat Juni 2014 ** Message Body: **Telekom - erleben, was verbindet. Ihre Rechnung für Juni 2014 Sehr geehrte Damen und Herren, mit diesem Schreiben erhalten Sie eine Benachrichtigung über Ihre aktuelle Rechnung. Die zur Zahlung fällige Summe für Juni 2014 beläuft sich auf: 325,86 Euro. Im Anhang finden Sie die gewünschten Dokumente zu Ihrer Mobilfunk RechnungOnline für Juni 2014. Dies ist eine im automatischen Modus generierte E-Mail. Bitte nicht darauf antworten. Mit freundlichen Grüßen Ralf Hoßbach** Or > Message Body: **Good Day, Herewith I sent you a copy of Bank Swift copy MT 103. Payment against the proforma invoice. Please check with your bank and confirm date of shipment. Thank you. Best Regards, Mr. Abdul Nasser Sokariah ** Or > Subject: **Transfer balance payment** Message Body: **Hello , Kindly find attached the outward remittance slip of the payment that was transferred to your account and let us know when the shipment will commence. Regards. We Sincerely Hope To Hear From You Soon Thanks & Regards Mr Hasbian. Sales Manager ** > > Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases. Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user. **Related Links** [Cisco Security](<http://www.cisco.com/security>) [Cisco SenderBase Security Network](<http://www.senderbase.org/>) Call Send SMS Add to Skype You'll need Skype CreditFree via Skype ## Revision History * Version | Description | Section | Date ---|---|---|--- 7 | Cisco Security has detected significant activity on August 18, 2014. | | 2014-August-19 12:36 GMT 6 | Cisco Security has detected significant activity on August 14, 2014. | | 2014-August-14 18:32 GMT 5 | Cisco Security has detected significant activity on June 25, 2014. | | 2014-June-26 11:57 GMT 4 | Cisco Security has detected significant activity on May 28, 2014. | | 2014-May-29 12:57 GMT 3 | Cisco Security has detected significant activity on April 16, 2014. | | 2014-April-17 13:41 GMT 2 | Cisco Security has detected significant activity on December 13, 2013. | | 2013-December-16 14:55 GMT 1 | Cisco Security has detected significant activity on November 19, 2013. | | 2013-November-20 13:54 GMT Show Less * * * ## Legal Disclaimer * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products

{"id": "CISCO-THREAT-31830", "type": "ciscothreats", "bulletinFamily": "info", "title": "Threat Outbreak Alert: Fake Secure Message Delivery Email Messages on August 18, 2014", "description": "Medium\n\nAlert ID: \n\n31830\n\nFirst Published:\n\n2013 November 20 13:54 GMT\n\nLast Updated:\n\n2014 August 19 12:36 GMT\n\nVersion: \n\n7\n\n## \n\n![](http://www.cisco.com/c/dam/en_us/about/security/images/csc_child_pages/update-icon-alert.svg) Summary \n\n * Cisco Security has detected significant activity related to spam email messages that claim to contain a secure message for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the _.zip_ attachment contains a malicious _.exe_ file that, when executed, attempts to infect the system with malicious code. \n \nEmail messages that are related to this threat (RuleID7942 and RuleID4626KVR) may contain the following files: \n\n\n> _Secure_Message.zip \nSecure_Message.exe_ \n_invoice.zip \ninvoice_658293759097294283823_93856978234729.oi.pdf.exe \nSwift TT.zip \nSwift TT.scr \nBANK SWIFT.zip \nBANK SWIFT.exe \n2014_06rechnung_52249826995793_sign.zip \nRechnung_25_14_06_8200630274520031_telekom_deutschland_GmbH_9281001.exe \nBANK SWIFT MT 103.zip \nmt111.exe \nSlip Confirm.zip \nSlip Confirm.exe \nTransfer\u00e2\u20ac\u00aefdp.zip \nTRANSF~1.EXE \n_\n\nThe _Secure_Message.exe_ file in the _Secure_Message.zip_ attachment has a file size of 13,824 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x3B699A22A8A3706C9521E63F9F598B \n\nThe _invoice_658293759097294283823_93856978234729.oi.pdf.exe_ file in the _invoice.zip_ attachment has a file size of 90,795 bytes. The MD5 checksum is the following string: 0x5F694ED920503E2AF93E3094C612AF48 \n \nThe _Swift TT.scr_ file in the _Swift TT.zip _attachment has a file size of 485,936 bytes. The MD5 checksum is the following string: 0xBEC0B30DC38C31E1124437C1437F90D6 \n \nThe_ BANK SWIFT.exe_ file in the _BANK SWIFT.zip_ attachment has a file size of 725,096 bytes. The MD5 checksum is the following string: 0x674674219C8B1DCD562BCAF14C278DC4 \n \nThe _Rechnung_25_14_06_8200630274520031_telekom_deutschland_GmbH_9281001.exe_ file in the _2014_06rechnung_52249826995793_sign.zip_ attachment has a file size of 132,096 bytes. The MD5 checksum is the following string: 0xCC5D51730DAED56D0D635921F7D84AC9 \n \nThe_ mt111.exe _file in the _BANK SWIFT MT 103.zip_ attachment has a file size of 848,575 bytes. The MD5 checksum is the following string: 0x2E28C62D855A1C7872AFE7022398AB3A \n \nThe _Slip Confirm.exe_ file in the _Slip Confirm.zip_ attachment has a file size of 572,928 bytes. The MD5 checksum is the following string: 0xE58D8308034CD28F9101F05A02188A23 \n \nThe _TRANSF~1.EXE_ file in the _Transfer\u00e2\u20ac\u00aefdp.zip_ attachment has a file size of 513,536 bytes. The MD5 checksum is the following string: 0x5DC3A4DC9F031A8049FA196ED9FCC049 \n \nThe following text is a sample of the email message that is associated with this threat outbreak: \n\n\n> Subject: **You have received a secure message** \n \nMessage Body: \n \n**KeyBank SecureMessage \nEncryption \nYou have received a secure message \nRead your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file \nfirst, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.cisco.com to receive a mobile login URL. \nFirst time users - will need to register after opening the attachment. \nHelp - hxxps://mailsafe.keybank.com/websafe/help?topic=RegEnvelope \nAbout IronPort Encryption - hxxps://mailsafe.keybank.com/websafe/about \nSincerely, \nDoris_Ritter \n**\n\nOr \n\n\n> Message Body: \n \n**Hello, \nJust to notify you that we have made a payment to your company account for USD22,000.00 as instructed by our customer. If delayed in receiving the payment, kindly notify us for further actions. \nAttached is the payment swift copy for your reference. \nPlease open Zip and click to RUN download, do check if your account details is writing correctly. \nPlease confirm receipt and feel free to contact me if anything. \nThanks and best regards,** \n\n\nOr \n\n\n> Message Body: \n \n**Dear Sir/Madam \nPlease find the attach copy as instructed the total amount was transferred to your account and please confirm back the invoice copy as \nreference via office email as soon as you get this. \nPlease reply only through our new email address. \nThanks and regards, \nFinancial Accountant** \n\n\nOr \n\n\n> Subject: **Ihre Telekom Mobilfunk RechnungOnline Monat Juni 2014 ** \n \nMessage Body: \n \n**Telekom - erleben, was verbindet. \nIhre Rechnung f\u00fcr Juni 2014 \nSehr geehrte Damen und Herren, \nmit diesem Schreiben erhalten Sie eine Benachrichtigung \u00fcber Ihre aktuelle Rechnung. Die zur Zahlung f\u00e4llige Summe f\u00fcr Juni 2014 bel\u00e4uft sich auf: 325,86 Euro. \nIm Anhang finden Sie die gew\u00fcnschten Dokumente zu Ihrer Mobilfunk RechnungOnline f\u00fcr Juni 2014. \nDies ist eine im automatischen Modus generierte E-Mail. Bitte nicht darauf antworten. \nMit freundlichen Gr\u00fc\u00dfen \nRalf Ho\u00dfbach** \n\n\nOr \n\n\n> Message Body: \n \n**Good Day, \nHerewith I sent you a copy of Bank Swift copy MT 103. Payment against the proforma invoice. \nPlease check with your bank and confirm date of shipment. \nThank you. \nBest Regards, \nMr. Abdul Nasser Sokariah \n**\n\nOr \n\n\n> Subject: **Transfer balance payment** \n \nMessage Body: \n \n**Hello , \nKindly find attached the outward remittance slip of the payment that was transferred to your account and let us know when the shipment will commence. \nRegards. \nWe Sincerely Hope To Hear From You Soon \nThanks & Regards \nMr Hasbian. \nSales Manager ** \n\n\n> > Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases. \n \nCisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user. \n \n**Related Links** \n[Cisco Security](<http://www.cisco.com/security>) \n[Cisco SenderBase Security Network](<http://www.senderbase.org/>) \n\n\nCall\n\nSend SMS\n\nAdd to Skype\n\nYou'll need Skype CreditFree via Skype\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n7 | Cisco Security has detected significant activity on August 18, 2014. | | 2014-August-19 12:36 GMT \n6 | Cisco Security has detected significant activity on August 14, 2014. | | 2014-August-14 18:32 GMT \n5 | Cisco Security has detected significant activity on June 25, 2014. | | 2014-June-26 11:57 GMT \n4 | Cisco Security has detected significant activity on May 28, 2014. | | 2014-May-29 12:57 GMT \n3 | Cisco Security has detected significant activity on April 16, 2014. | | 2014-April-17 13:41 GMT \n2 | Cisco Security has detected significant activity on December 13, 2013. | | 2013-December-16 14:55 GMT \n1 | Cisco Security has detected significant activity on November 19, 2013. | | 2013-November-20 13:54 GMT \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "published": "2013-11-20T13:54:24", "modified": "2014-08-19T12:36:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=31830", "reporter": "Cisco", "references": [], "cvelist": [], "lastseen": "2018-07-26T12:02:57", "viewCount": 3, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "ciscoThreat": {"md5": null, "subject": "You have received a secure message", "messageBody": "KeyBank SecureMessage\nEncryption\nYou have received a secure message\nRead your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file\nfirst, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.cisco.com to receive a mobile login URL.\nFirst time users - will need to register after opening the attachment.\nHelp - hxxps://mailsafe.keybank.com/websafe/help?topic=RegEnvelope\nAbout IronPort Encryption - hxxps://mailsafe.keybank.com/websafe/about\nSincerely,\nDoris_Ritter\n\n\nMessage Body:\n\nHello,\nJust to notify you that we have made a payment to your company account for USD22,000.00 as instructed by our customer.\u00a0 If delayed in receiving the payment, kindly notify us for further actions.\nAttached is the payment swift copy for your reference.\nPlease open Zip and click to RUN download, do check if your account details is writing correctly.\nPlease confirm receipt and feel free to contact me if anything.\nThanks and best regards,\n\nMessage Body:\n\nDear Sir/Madam\nPlease find the attach copy as instructed the total amount was transferred to your account and please confirm back the invoice copy as\nreference via office email as soon as you get this.\nPlease reply only through our new email address.\nThanks and regards,\nFinancial Accountant\n\nSubject: Ihre Telekom Mobilfunk RechnungOnline Monat Juni 2014 \n\nMessage Body:\n\nTelekom - erleben, was verbindet.\nIhre Rechnung f\u00fcr Juni 2014\nSehr geehrte Damen und Herren,\nmit diesem Schreiben erhalten Sie eine Benachrichtigung \u00fcber Ihre aktuelle Rechnung. Die zur Zahlung f\u00e4llige Summe f\u00fcr Juni 2014 bel\u00e4uft sich auf: 325,86 Euro.\nIm Anhang finden Sie die gew\u00fcnschten Dokumente zu Ihrer Mobilfunk RechnungOnline f\u00fcr Juni 2014.\nDies ist eine im automatischen Modus generierte E-Mail. Bitte nicht darauf antworten.\nMit freundlichen Gr\u00fc\u00dfen\nRalf Ho\u00dfbach\n\nMessage Body:\n\nGood Day,\nHerewith I sent you a copy of Bank Swift copy MT 103. Payment against the proforma invoice.\nPlease check with your bank and confirm date of shipment.\nThank you.\nBest Regards,\nMr. Abdul Nasser Sokariah\n\nSubject: Transfer balance payment\n\nMessage Body:\n\nHello ,\nKindly find attached the outward remittance slip of the payment that was transferred to your account and let us know when the shipment will commence.\nRegards.\nWe Sincerely Hope To Hear From You Soon\nThanks & Regards\nMr Hasbian.\nSales Manager", "files": null, "size": null}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645495215, "score": 1659800006, "epss": 1678865228}, "_internal": {"score_hash": "b83dd2f020340fc17d628984fe3f52be"}}