Threat Outbreak Alert RuleID18533: Email Messages Distributing Malicious Software on October 8, 2015

2015-10-07T19:29:24
ID CISCO-THREAT-41426
Type ciscothreats
Reporter Cisco
Modified 2015-10-08T13:49:38

Description

Medium

Alert ID:

41426

First Published:

2015 October 7 19:29 GMT

Last Updated:

2015 October 8 13:49 GMT

Version:

2

Summary

  • Cisco Security has detected significant activity related to spam email messages distributing malicious software.

Email messages that are related to this threat (RuleID18533 and RuleID18533KVR) may contain the following files:

Name | Size in Bytes | MD5 Checksum
---|---|---
fax_9397811_138772686_Internet.zip / 518443736449.exe
| 23,040
| 0xEE2966BE1C473827C28D22BBDA0D3A4D

fax_086531948_0341983892_Internet.zip / 997868581118.exe | 23,040 | 0xAC7521F6D475A5292970CE7C9C17713E
131202_858506.zip / 866358222578.exe | 52,224
| 0xA3B4BBA828DD9CC34CF4ADA432398DEC

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: hi, fax 9397811

Message Body:

INVOICE #9397811 TOTAL 138772686.35

Or

> Subject: Internet Fax Job

Message Body:

Image data has been attached.

Or

>
Subject: Undeliverable: hi, fax 086531948

Message Body:

Your message to aurelia.noran@ausenco.com.au couldn't be delivered.
aurelia.noran wasn't found at ausenco.com.au
aterin.al-salman Office 365 aurelia.noran
Action Required Recipient
Unknown TO address
How to Fix It
The address may be misspelled or may not exist. Try the following:
Retype the email address then resend the message.
Clear the recipient nickname cache in Outlook or Outlook Web App by following the steps in this
article: NDR Response Code 5.1.10 in Exchange Online and Office 365.
Contact the recipient (by phone or instant messaging, for example) to check that the address is correct.
The recipient may have set up mail forwarding to an incorrect address. Ask them to check that any forwarding they've set up is working correctly.
If the problem continues, forward this message to your email admin.
Was this helpful? Send feedback.

Or

> Subject: Company notice

Message Body:

Good day,
Attached you'll find the inter-company invoice for the period from October 2014 till October 2015.
Thank you for support in setting up this process.

Cisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    2 | Cisco Security has detected significant activity on October 8, 2015. | | 2015-October-08 13:49 GMT
    1 | Cisco Security has detected significant activity on October 7, 2015. | | 2015-October-07 19:29 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products