Threat Outbreak Alert RuleID16955: Email Messages Distributing Malicious Software on October 12, 2015

2015-07-27T22:33:57
ID CISCO-THREAT-40155
Type ciscothreats
Reporter Cisco
Modified 2015-10-12T18:14:42

Description

Medium

Alert ID:

40155

First Published:

2015 July 27 22:33 GMT

Last Updated:

2015 October 12 18:14 GMT

Version:

5

Summary

  • Cisco Security has detected significant activity related to spam email messages distributing malicious software.

Email messages that are related to this threat (RuleID16955 and RuleID16955KVR) may contain the following files:

Name | Size in Bytes | MD5 Checksum
---|---|---
PO 23465008.pdf.7z / PO 23465008.exe
| 358,912
| 0x0B31DA8E8D0FEFF572DC93D3E6B94D3F
PO #100890778.7z / PO #100890778.exe | 319,488 | 0x20709BE06BF323B383BA5A65DD31D902
copy.zip / copy.exe | 323,584
| 0x3A7B97C5FF0267C164315A96018F019F

Payment.zip / Payment.exe | 801,792
| 0x8E1FE90142A603406FB58A11C2D10502

Order-t32B7650.zip / Order-t32B7650.exe | 118,784
| 0xB6FF7485E6D8270769AA2317534F7EF3

CPSOG Sample inquiry 21Sept 2015.zip / CPSOG Sample inquiry 21Sept 2015.exe | 638,464
| 0x18FCC83FD2066B9C1645D5572ED66EBA

Global traders Order.zip / IW 51078 trading Order 2015-09-22.exe | 486,912
| 0x9ED201589C18B3B2A744D7DAF6B8762E

COPY_0114-jpg.zip / COPY_0114-jpg.exe | 371,712
| 0xB0C6DE83D48BB9E7CA6B8F703CD8DFDB

Balance Payment.zip / TT.exe | 237,568
| 0x9CC179344CBF61200879E5A96EA4E94C

Payment Invoice.2zip.zip / Revised PO.exe | 469,504
| 0x6376F23C5648F265D31354715B8A7E72

Order.zip / Order.scr | 450,640
| 0xC47FBE0DC238BB7A0EC4A6D73E460292

purchase order 2.zip / Purchase-order.exe | 177,152
| 0x4E5A740069F6708F6117FF92AA774E41

PaymentAdvice_Ref #[B852616111].zip / PaymentAdvice_Ref #[B859963054].scr | 38,912
| 0x19E877280BA706D700CE91B8F00781A2

Extra payment eFax.zip / Direct tax documentation.exe | 34,304 | 0xC1D314EE40751607C3EAACC51870B377

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: PO 23465008

Message Body:

Good day,
Attached is our new PO.
Please advise delivery date of both orders on attachment.
Awaiting your early response to enable our account department to process
your payment.
Thanks & regards

Or

> Subject: PO#100890778.7z.rar

Message Body:

Sir,
Please find enclosed herewith our new order.
We look forward to receive a pro-forma invoice.
Thank You

Or

> Subject: PO 26860 & Invoice 30151

Message Body:

FYI

Or

>
Subject: Revised invoice:

Message Body:

Dear,
I called your office number, but no responds Kindly Check why the two
Invoice you send to us has different Bank details,
after you send invoice to us, we receive another invoice with
different Bank details Confirm and send me the Correct Bank details
in a revised invoice, also cc to this email.
Your soonest reply will be appreciated
Thanks Regards,

Or

> Subject: Order List

Message Body:

Good Day,
Here is our order. Please do bear in mind that we are very much
in need of this order,If you can finish on or before 30 days, we will
make another order immediately.
Waiting for your reply.
Thank you.
Regards,

Or

>
Subject: CPSOG SAMPLE INQUIRY [1015 RIO18] / ANGOLA

Message Body:

Good Morning.
I am Isabel from CPSOG in Angola,
we know you produce and supply materials that are within our scope of purchase...
kindly go through our attached listed specifications for sample order
from your esteemed company and revert back to us.
Hence we hope to establish a long term business relationship with your esteemed company
and we hope to share profitable margin in the nearest future.
Feel free to inform us about any further clarification as per our request.
Regards

Or

> Subject: QUOTE NUMBER: 51078

Message Body:

Good day,
We would like to know if you have the item listed on QUOTE NUMBER: IW 51078.
in the attachment file
we plan to make Order this week.
We intend to get around to get this together with good price.
Thanks.

Or

>
Subject: eNotification: Label Number DHL727D5151D010915

Message Body:

Dear customer,
We attempted to deliver your item at 10:10 AM on Monday Sept 21st 2015.
(Read enclosed file detail)
The delivery attempt failed because nobody was present at the shipping address,
so this notify has been automatically sent.
If the parcel is not scheduled for redeliver or picked up within 72 hours,
it will be returned to the sender.
Label Number: E727D5151D
Expected Delivery Date: Monday Sept 21st 2015
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Read the enclosed file for details.
Thank you,

Or

>
Subject: Balance Payment

Message Body:

Today we have able to remit the total amount of US$ 51,704.97 to your
account. Details of our payments are as follows:
Cont. #41 SPV001/April/15 US$34,299.13 - 11,748.82 (50% disc. For R008 &
R016) = Cont. #42 EXSQI013/May/5 US$29,154.66
--------------------
Total Remittance: US$ 51,704.97
Attached is the TT copy, check with your bank and let us know when you will
proceed with shipment.
Thank you very much.
Best regards,
YONJIA TENG (Ms) | Head of Sales
Procurement Division

Or

>
Subject: please update virus signature

Or

>
Subject: New Order

Message Body:

Good Day,
How are you today?
I got your contact email from one of my supplier.
Please find attached our Purchase Order,and send me quotation including
FOB, MOQ.
Look forward to your urgent reply
Thanks

Or

>
Subject: purchase order

Message Body:

Hello,
Please quote the attached RFQ FOR Saudi Basis.
Kindly confirm if it will be possible to receive the complete offer
withing two(2) days? Send with the technical details & commercial offer
as stated.
Thanks,

Or

> Subject: Extra payment eFax

Message Body:

Dear customer,
New software invoice

> Cisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    5 | Cisco Security has detected significant activity on October 12, 2015. | | 2015-October-12 18:14 GMT
    4 | Cisco Security has detected significant activity on September 22, 2015 | | 2015-September-24 11:28 GMT
    3 | Cisco Security has detected significant activity on September 22, 2015 | | 2015-September-23 12:31 GMT
    2 | Cisco Security has detected significant activity on September 21, 2015 | | 2015-September-22 12:30 GMT
    1 | Cisco Security has detected significant activity on July 26, 2015. | | 2015-July-27 22:33 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products