Threat Outbreak Alert: Fake Product Sample Order Email Messages on June 23, 2014

2014-03-03T14:49:57
ID CISCO-THREAT-33149
Type ciscothreats
Reporter Cisco
Modified 2014-06-25T13:05:21

Description

Medium

Alert ID:

33149

First Published:

2014 March 3 14:49 GMT

Last Updated:

2014 June 25 13:05 GMT

Version:

20

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a product sample order for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the_ .zip_ attachment contains a malicious ._exe _file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID4961KVR) may contain the following files:

> ProductSample 7.zip
ProductSample.pdf.exe
Sales Receipt.zip
Sales Receipt.pdf.scr
Catelog.jpg.zip
Catelog.jpg.exe
Postal_receipt_FORM_03_2014.xls.zip
Postal_receipt_FORM_03_2014.xls.scr
PO DETAILS.zip
Balance details&New P.O.pdf.scr
quotation.xls.zip
quotation.xls.exe
QUOTATION.pdf.zip
QUOTATION.pdf.exe
FedEx_G6HE45HR6R.pdf.zip
FedEx_G6HE45HR6R.pdf.exe
fax.zip
fax.pdf.exe

FedEx_G7BE39OP5E.pdf.zip
FedEx_G7BE39OP5E.pdf.exe.exe

Receipt_25th_april.zip
Receipt_25th_april.rar.scr

FedEx_EB6VS40LJ9DV.PDF.zip
FedEx_EB6VS40LJ9DV.PDF.exe
BANK DETAILS.zip
New_Purchase_Order_xls.exe
report.zip
report_7883hd.pdf.exe
report.77848gg.pdf.exe
Payment.zip
Document_Attached-pdf.exe
Order Samples.jpg.zip
Order Samples.jpg.scr

report_889393.pdf.exe
PI783892-pdf.zip
PI783892-pdf.exe
Report.png.zip
Report.png.scr

OriginalDocument-pdf.zip
document47777778349don.exe
POcatalog.xl.zip
POcatalog.xl.exe
order_report.zip
order_report.FG42342378423.pdf.exe

agb_electronis.de_2014-06-05_amazon.pdf.zip
agb_electronis.de_2014-06-05_amazon.pdf.exe
photo.zip
photo.jpeg.scr
Balance_sheet_pdf.zip
Balance_sheet_pdf.scr

Sample_Order_pdf.zip
Sample_Order_pdf.exe

Purchase Order_pdf.zip
Purchase Order_pdf.exe

The ProductSample.pdf.exe file in the ProductSample 7.zip attachment has a file size of 1,089,088 bytes. The MD5 checksum is the following string: 0xF91378D04710C4144A4D166D05387F39

The Sales Receipt.pdf.scr file in the Sales Receipt.zip attachment has a file size of 695,808 bytes. The MD5 checksum is the following string: 0x7A0ACA1A09816837B992D32DA4CD66B2

The_ Catelog.jpg.exe_ in the Catelog.jpg.zip file has a file size of 1,530,368 bytes. The MD5 checksum is the following string: 0x91B4AA29FFE24A5E754CD022835458F2

The Postal_receipt_FORM_03_2014.xls.scr in the Postal_receipt_FORM_03_2014.xls.zip file has a file size of 82,944 bytes.The MD5 checksum is the following string: 0x047C441E5B6C57F2917C1084D9D7374C

The Balance details&New P.O.pdf.scr file in the PO DETAILS.zip attachment has a file size of 1,128,840 bytes. The MD5 checksum is the following string: 0x5A82E484A314F0722336DD1B6AECF9AB

The quotation.xls.exe _file in the quotation.xls.zip _attachment has a file size of 229,888 bytes. The MD5 checksum is the following string: 0xE0BF198FC61FEB72A0D0263BBFF68C7C

The_ QUOTATION.pdf.exe_ file in the QUOTATION.pdf.zip attachment has a file size of 2,132,943 bytes. The MD5 checksum is the following string: 0xEE92567B60615D5A94564C8BC51C05AC

The FedEx_G6HE45HR6R.pdf.exe in the FedEx_G6HE45HR6R.pdf.zip file has a file size of 110,592 bytes .The MD5 checksum is the following string: 0x4A0708447414EE097962AE2E779BAA29

The fax.pdf.exe in the fax.zip file has a file size of 139,264 bytes. The MD5 checksum is the following string: 0xDD87219F217780B860AB706A16AFE596

The FedEx_G7BE39OP5E.pdf.exe.exe file in the FedEx_G7BE39OP5E.pdf.zip attachment has a file size of 106,496 bytes. The MD5 checksum is the following string: 0x12090B5F399D9B8A83382F8D90A344A2

The Receipt_25th_april.rar.scr in the Receipt_25th_april.zip file has a file size of 107,008 bytes.The MD5 checksum is the following string: 0xB298E23B6B57B4BC5F7580F6EE580770

The FedEx_EB6VS40LJ9DV.PDF.exe in the FedEx_EB6VS40LJ9DV.PDF.zip file has a file size of 110,592 bytes.The MD5 checksum is the following string: 0x365B48CD121F930E1B48E0B28DE511F8

The New_Purchase_Order_xls.exe _file in the _BANK DETAILS.zip attachment has a file size of 266,752 bytes. The MD5 checksum is the following string: 0x18C423C4D3C24E3BC69BE6523EC1AC03

The report_7883hd.pdf.exe in the report.zip file has a file size of 112,640 bytes. The MD5 checksum is the following string: 0x200CF8FDC11DFC9EF37950DBB7894788

The report.77848gg.pdf.exe in the report.zip file has a file size of 102,400 bytes. The MD5 checksum is the following string: 0xCF6333B7E04CA9D6CA133C926F17C003

The Document_Attached-pdf.exe in the Payment.zip file has a file size of 1,246,409 bytes. The MD5 checksum is the following string: 0x9E3A305334D97FC9ED63AD6C29F2E3BA

The Order Samples.jpg.scr in the Order Samples.jpg.zip file has a file size of 295,936 bytes. The MD5 checksum is the following string: 0x8BDD8562FC76B169FD535928BC9C58AB

The report_889393.pdf.exe file in the report.zip attachment has a file size of 90,112 bytes. The MD5 checksum is the following string: 0xB4032BF341821FEC13B23EACDD321BBB

The PI783892-pdf.exe _file in the _PI783892-pdf.zip attachment has a file size of 1,283,757 bytes. The MD5 checksum is the following string: 0x61CECD13F1A2E7F02B7EB7208D4C2E1F

The Report.png.scr file in the Report.png.zip attachment has a file size of 131,072 bytes. The MD5 checksum is the following string: 0x8F9E8F60F38B7ECB0408224C1469D253

The document47777778349don.exe file in the OriginalDocument-pdf.zip attachment has a file size of 526,336 bytes. The MD5 checksum is the following string: 0x7E2ABD54E9FC129527CC9AECA1997222

The POcatalog.xl.exe file in the POcatalog.xl.zip attachment has a file size of 242,176 bytes. The MD5 checksum is the following string: 0xD72A19014516242D94F604CDDFE6A906

The order_report.FG42342378423.pdf.exe file in the_ order_report.zip_ attachment has a file size of 92,160 bytes. The MD5 checksum is the following string: 0x60BAAA838D6AC5F8F304DB5D6EA8847D

The agb_electronis.de_2014-06-05_amazon.pdf.exe file in the agb_electronis.de_2014-06-05_amazon.pdf.zip attachment has a file size of 273,920 bytes. The MD5 checksum is the following string: 0x15C4A82D95B8B368687075E7080927C0

The photo.jpeg.scr file in the photo.zip attachment has a file size of 116,736 bytes. The MD5 checksum is the following string: 0x3082293905262F35E94A6BC980430775

The Balance_sheet_pdf.scr file in the Balance_sheet_pdf.zip attachment has a file size of 153,600 bytes. The MD5 checksum is the following string: 0x167F16C8AE349CFB7D450CDF335DD9CA

The Sample_Order_pdf.exe file in the Sample_Order_pdf.zip attachment has a file size of 590,336 bytes. The MD5 checksum is the following string: 0x87CFA041FFECD00B4DAA0B4BBC0793B2

The Purchase Order_pdf.exe in the Purchase Order_pdf.zip file has a file size of 390,801 bytes. The MD5 checksum is the following string: 0x8D244B7AE1B425D8DC094D9BF651ECB9

The following text is a sample of the email message that is associated with this threat outbreak:

> Message Body:

Dear sir
How are you hope all is well with you,
Attach is our product sample order kindly check and confirm with us as our
Boss ask to inquiry from your company please offer us your best price as we
are waiting your responses in return mail asap.
Regards Michelle

Or

> Subject: Sales Receipt 103009

Message Body:

Good morning!
Order Number: 10022917
Contents of your purchase:
Cart ID: 3603
Vendor Product ID: TZ-106351
Product Description: Vendor site cart purchase
Product Name: Cart Purchase
Quantity: 1
Your payment method is: Credit Card.
Total: 321.11 ( USD )
Invoice details is in the attached ZIP-archive.

Or

> Message Body:

Dear Sir,
Attached is our products catelog for new order please send us your best price attached with the PI for the order.
Do not forget to include in the PI for payment:
a). CIF
b). MOQ
c). Expected Delivery date from Payment Date
d). Payment Terms (T/T, DP or LC)
Note that an urgent response will be appreciated we are keeping our
customers waiting.
We hope that the above prices will meet your requirement and look forward
for your kind and valued order.

Or

> Subject: Your parcel N1259080 has arrived

Message Body:

Good afternoon!
Your parcel has arrived at March 4034547637547th, 2014. Courier was unable to deliver the parcel to you.
Check the tracking ID and print the postal receipt from the attached ZIP-file.

Or

> Subject: Fwd: Fwd: Re: Shiment Order PO900987...

Message Body:

Dear Sir:
Attached is our purchase order PO900987.
Please arrange services and/or shipment per instructions on the attached.

Or

> Message Body:

Hello,
Please find attached our Purchase order.
Please treat as urgent.We hope to hear from you as soon as possible.
Shadi

Or

> Subject: Fedex: Some important information is lacking

Message Body:

FEDEX VERIFICATION
We have a pack for you!
Regrettably some significant info is missing to complete the delivery!
Please accomplish the documents attached to confirm your identity.
We greatly recommend you to do it right now!!
You have 24 hours to compleate the verification! Otherwise the package will be returned to sender!
Order verification number: 560612156
Order time: Wed, 23 Apr 2014 13:40:12 +0100
Thanks for choosing FedEx.

Or

> Subject: Some significant info is lost

Message Body:

FEDEX VERIFICATION
Dear compta@serviacom.fr:
Fedex have a pack for you!
Unfortunately some significant information is missing to terminate the delivery.
Please complete the file binded to confirm your personality!
We highly recommend you to do it right now!!
You have 24 hours to compleate the confirmation! Otherwise the package will be returned to sender!
Order verification #: 70

Or

> Subject: Thank you for your deposit N 1123070

Message Body:

Good evening!
Thanks for depositing $ 62.85 to your account on our service.
Attached is your ticket. Make sure to keep it for your records.
Very truly yours,
The Paymer team

Or

> Message Body:

Please look into all the pending invoices; and effect payment ASAP as
all
bill is long over dued.
Your payment would be highly appreciated.
Please only effect payment through our attached Bank Details
Thanks for your cooperation
Best Regards.

Or

> Subject: Fw: Order details RT12752

Message Body:

I hope I am doing the correct thing forwarding this sort of email to you - - someone should stop the people who are sending them

Or

> Subject: Order details RT38223

Message Body:

Good morning,
Thanks for your order. Well let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order UC8765443 Placed on February 11, 2014
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.

Or

> Message Body:

Good day,
We are looking for reliable supplier that can supply us quality product
for us to maintain our quality in the Global market.
Therefore we would want you to view the list of the items that we want to
purchase and confirm the available quantity.
kindly download and view the products we would want to purchase on our
first order and let me know if they are available .
Do confirm your preferred payment method.

Or

> Subject: NEW ORDER

Message Body:

Dear Partner,
See a list of NEW ORDER which we want to buy from you, check and send
Proforma Invoice immediately for payment.
I will be waiting for your urgent reply.
Thanks with regards
Les Bruce

Or

> Subject: Weekly activity account report

Message Body:

There is your individual account activity details in the attached ZIP-archive.
Please revise it.

Or

> Subject: NEW PO Catalog attached to this mail.

Message Body:

Dear Supplier,
we are wholesale trading company specialized in sourcing and procurement of products. We will like to make
a purchase of your company's product. The Attached contains our Purchase Order, kindly follow it to access and download all documents associated the Purchase Order.
For material# 7M-010-91G
Quote for all items in the Purchase Order and also quote for your MOQ.
Your prompt reply will be highly appreciated.
Regards,
TAPAS KUMAR

> > > > > > > Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    20 | Cisco Security has detected significant activity on June 23, 2014. | | 2014-June-25 13:05 GMT
    19 | Cisco Security has detected significant activity on June 22, 2014. | | 2014-June-23 14:46 GMT
    18 | Cisco Security has detected significant activity on June 9, 2014. | | 2014-June-10 12:41 GMT
    17 | Cisco Security has detected significant activity on May 26, 2014. | | 2014-May-28 12:54 GMT
    16 | Cisco Security has detected significant activity on May 19, 2014. | | 2014-May-20 12:45 GMT
    15 | Cisco Security has detected significant activity on May 16, 2014. | | 2014-May-19 13:15 GMT
    14 | Cisco Security has detected significant activity on May 11, 2014. | | 2014-May-13 14:07 GMT
    13 | Cisco Security has detected significant activity on May 8, 2014. | | 2014-May-12 12:27 GMT
    12 | Cisco Security has detected significant activity on May 7, 2014. | | 2014-May-08 14:20 GMT
    11 | Cisco Security has detected significant activity on May 2, 2014. | | 2014-May-05 12:19 GMT
    10 | Cisco Security has detected significant activity on April 29, 2014. | | 2014-April-30 18:55 GMT
    9 | Cisco Security has detected significant activity on April 25, 2014. | | 2014-April-28 12:50 GMT
    8 | Cisco Security has detected significant activity on April 24, 2014. | | 2014-April-25 16:52 GMT
    7 | Cisco Security has detected significant activity on April 23, 2014. | | 2014-April-24 12:26 GMT
    6 | Cisco Security has detected significant activity on April 16, 2014. | | 2014-April-18 12:53 GMT
    5 | Cisco Security has detected significant activity on April 16, 2014. | | 2014-April-17 13:26 GMT
    4 | Cisco Security has detected significant activity on April 10, 2014. | | 2014-April-11 12:34 GMT
    3 | Cisco Security has detected significant activity on April 8, 2014. | | 2014-April-10 14:11 GMT
    2 | Cisco Security has detected significant activity on March 28, 2014. | | 2014-March-31 13:58 GMT
    1 | Cisco Security has detected significant activity on March 1, 2014. | | 2014-March-03 14:49 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products