Threat Outbreak Alert RuleID20843: Email Messages Distributing Malicious Software on September 26, 2016

2016-02-02T14:54:26
ID CISCO-THREAT-43372
Type ciscothreats
Reporter Cisco
Modified 2016-09-27T13:55:59

Description

Medium

Alert ID:

43372

First Published:

2016 February 2 14:54 GMT

Last Updated:

2016 September 27 13:55 GMT

Version:

29

Summary

  • Cisco Security has detected significant activity related to spam email messages distributing malicious software.

Email messages that are related to this threat (RuleID20843 and RuleID20843KVR) may contain the following files:

Name | Size in Bytes | MD5 Checksum
---|---|---
FedExR_pdf.7z / FedExR_pdf.exe
| 185,856
| 0xEA0A27E099B2317BE5B0C5634D2D95C7

Reciept_pdf.7z / Reciept_pdf.exe | 222,720
| 0xCB133A6086C02B4C753F42D0CFEA8158

Reciept_pdf.7z / Reciept_pdf.exe | 219,136
| 0x6AE29FC23C9DEB89D054BB1FB0EC308E

FedExR_pdf.7z / FedExR_pdf.exe | 222,720
| 0x00CEAA264D6388C7A81FB4E8E3BCADAC

Reciept_pdf.7z / Reciept_pdf.exe | 225,280
| 0xBBF53287E50BE37A7422FE980DC928D8
SCAN COPY#2500342007.pdf.7z /
SCAN COPY#2500342007.exe | 603,648 | 0x7C3637780B93CA726FDF8D96F7335B57

Reciept_pdf.7z / Reciept_pdf.exe | 220,160
| 0x42339277E14FCFEF8BEE8E5B1856008E

dhl_pdf.7z / dhl_pdf.exe | 387,072
| 0xAC4FAB210BF97EB299F94BEC93700229

Payment Notification.pdf.7z /
Payment Notification.exe | 600,576
| 0x23B0266A55DF5862E7FB8FA01FCD2FF5

PO#5820105.pdf.7z / PO#5820105.exe | 854,528 | 0x2601D5EDF5FF5C2C2FC981F15F6022BE
PO#5820105.pdf.7z / PO#5820105.exe | 713,728 | 0x1FC2835F32EA4306C71C441FC7AC5909
Order Info_pdf.7z / Order Info_pdf.scr
| 184,320 | 0x1C0135F02ABEE232F5FD95AD5C01433E
PO#5820105.pdf.7z / PO#5820105.exe
| 796,672 | 0x4EEAE7676BA6CEC37C8EA90364A34B9F

PO 1000895_doc.7z / PO 1000895_doc.scr | 270,336 | 0x509BC9F4F6EA6CBF5879ABFFB6D8C62F

DHL Receipt_pdf.7z / DHL Receipt_pdf.exe | 310,784 | 0x3C93D243C57BAF466B8AB7040B70597B
DHL Receipt_pdf.7z / DHL Receipt_pdf.exe | 517,632
| 0x7776FEB31F35C6A2E2962A23D5D74335

DHL Receipt_pdf.7z / DHL Receipt_pdf.exe | 368,128 | 0x16F73AF0A28470BD71104FA302209A46
DHL Receipt_pdf.7z / DHL Receipt_pdf.exe | 217,088 | 0xECE1CA3AAD1C51FD3E8EAFD319A1100D

FedEx Receipt_pdf.7z / FedEx Receipt_pdf.exe
| 278,528 | 0x33BD6B74B88C7837A0221264A220FFC1

FedEx Receipt_pdf.7z / FedEx Receipt_pdf.exe | 213,504
| 0x4176FE5AEC80A965837B0A6CE44DA467

DHL Receipt_pdf.7z / DHL Receipt_pdf.exe | 500,224 | 0xB1FCA88275DF5C337D1E1E5EFD5E3701

DHL Receipt_pdf.7z / DHL Receipt_pdf.exe | 419,328
| 0xE067B5CEE81F4C65F1DF86B36230E78C

Invoice.pdf.7z / Invoice.exe | 899,072 | 0x5EFD8B65B6461911A73F294A2601B4C5
FedEx Receipt_pdf.7z / FedEx Receipt_pdf.exe | 447,488 | 0x81D4F06473605C9BD9031282B358746E
DHL Receipt_pdf.7z / DHL Receipt_pdf.exe | 395,264 | 0x1A11137C716D113AE3C29C95B54DDE8B
FedEx Receipt_pdf.7z / FedEx Receipt_pdf.exe
| 179,200 | 0x50D62607F626FDBE5A5CC33BF1A8F3AD
Dhl Receipt_pdf.7z / Dhl Receipt_pdf.exe
| 312,832
| 0x69D3BA72C1889D0E1038220E0B59D8B8

Payment-Swift-No886534253664736.pdf.7z / Payment-Swift-No886534253664736.exe | 541,184 | 0x6748BB0CC8739944D7C93AE8026676F5
ITT No 029-15-EB-MS.pdf.7z | 2,073,089
| 0x81769509A61EE42441C9F72DFF4CBDA5

Invitation to Tender No. LOM65312-2015.pdf.7z / Invitation to Tender No. LOM65312-2015.exe | 1,820,160
| 0x9A4899ACCA8F7C5BFF5C2B0F58A18D8B

PURCHASE ORDER_PDF.7z / PURCHASE ORDER_PDF.exe | 439,808 | 0x37943DE325A418784FC6956084E7C889
DHL Receipt_pdf.7z / DHL(2).zip | 103,912 | 0x50CDC2D005BC4A1AB6ADB1E045F03011

DHL Receipt_pdf.7z / jonnywalker.exe | 728,064 | 0x73EA6F0B49FEf74F7A49B5ADADC1B597

DHL Receipt_pdf.7z / dj_output857361F.exe | 200,704 | 0x307971590A9C4D4CBBD55975F8A81882
DHLReceipt_pdf.7z / metu_output6915550.exe | 188,416
| 0x082118C60ADED549371DFE1B9421DEC9

DHLReceipt_pdf.7z / grf_output5398670.exe | 143,360
| 0x3D9203CCB381DACFA0F384306D96F2F4

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: FedEx Shipment Status

Message Body:

From: FedEx/eNOTIFICATION
Sent: 01 February 2016 10:43
Subject: FedEx Shipment Status

Or

> Subject: Parcel Arrival from Dhl

> >

Or

> Subject: FedEX International Mail service

Or

> Subject: Parcel arrival from FedEx

> Or

> Subject: Top Urgent

Message Body:

FYI....

Or

> Subject: FedEx shipment status

> >

Or

> Subject: Parcel Arrival Update

Or

> Subject: Payment Notification

Message Body:

Good day,
I tried calling you on your mobile number but it was not reachable.
Please kindly find the attached swift copy for final payment of the
invoice paid to your account for our last order.
Kindly check and confirm to us as soon as possible.
Waiting for your response
Thanks

Or

> Subject: PO#5820105

Message Body:

Dear Sir,
Please kindly quote us your best & final price,
delivery and acceptable payment terms via attached
order.
Regards

Or

> Subject: PO #633092

Message Body:

Hello,
Please find enclosed herewith our new order.
We look forward to receive a pro-forma invoice.
Thank You
Best regards.

Or

> Subject: PO#5820105

Message Body:

Dear Sir,
Please kindly quote us your best & final price, delivery
and acceptable payment terms via attached order.
Regards

Or

> Subject: Fwd: PO100895

Message Body:

Hello,
Please find enclosed herewith our new order.
We look forward to receive a pro-forma invoice.
Thank You
Regards,

Or

> Subject: Dhl Parcel Arrival Status

Or

> Subject: Parcel Arrival From DHL

Or

> Subject: Parcel Arrival

Or

> Subject: Dhl Parcel Arrival Status

Or

> Subject: FedEx Shipment Status

Or

>
Message Body:

Sonnige Grüße
Kind regards

Or

> Subject: Invoice

Message Body:

Dear Sir,
My colleague contacted you since yesterday but no
response from you, Our finance department has processed
your payment, unfortunately it has been declined.
Please double check your bank information provided
in the invoice attached to this mail and confirm your details.
Thank you for understanding.

Or

> Subject: FedEx Shipment Status

Or

> Subject: PARCEL ARRIVAL FROM DHL

Or

> Subject: Payment-Swift-No886534253664736

Message Body:

Dear sir,madam
review the attached swift payment for immediate shipment
Thanks & Regards,


Or

> Subject: INVITATION TO TENDER, ITT No: 029-15-EB-MS

Message Body:

Dear Tender Participant,
Hereby Gazprom Neft Middle B.V. (GNME) is inviting Your company to take part in the Tender
for the Supply of Personal Protective Equipment (PPE), Medial Equipment, ICT Support & Supply
Oil & Gas Equipments & Safety Equipment _ 09-05-EB-MS016. Your company is invited to submit
its sealed offer on or before May 29rd, 2016, 16-30 (COB, Dubai Time). Attached to this message,
lease find the forms and documents necessary for the preparation of technical and commercial bids
required by the Gazprom Neft Middle East Tender Committee. Please make sure to be compliant with
the Instructions to Bidder (as attached – ITT and Instruction to Bidders) with regards to original
signatures and stamp of the Bidder where necessary, as well as binding of the documents included
into the Technical and Commercial Bids.We would be obliged if you kindly confirm the receipt of
this letter. Thanks a lot for your participation.
Best regards,

Or

> Subject: Invitation to Tender No. LOM/653/12-2015 for supply of laboratory chemicals, Oil and
drilling equipments, accessories, glassware and expendables on call-off basis (5 lots)
for 2 years for West Qurna (Phase 2) the Republic of Iraq

Message Body:

Dear Tender Participant,
TITLE: Invitation to Tender No. LOM/653/12-2015 for supply of laboratory chemicals,Oil and drilling equipments, accessories,
glassware and expendables on call-off basis (5 lots) for 2 years for West Qurna (Phase 2) the Republic of Iraq
LUKOIL MID-EAST LIMITED, a designated Operator for the West Qurna (Phase 2) Contract Area in Iraq (hereinafter referred to as the Operator),
invites you to take part in Tender No. LOM/653/12-2015 for supply of laboratory chemicals, accessories, glassware and expendables on call-off basis (5 lots)
for 2 years for West Qurna (Phase 2) the Republic of Iraq in accordance with information, data and instructions contained and set out in the attached document entitled
“Instructions to Bidders” and in respect of which we intend to award the successful Bidder a Contract for “Supply of laboratory chemicals, accessories, glassware
and expendables on call-off basis (5 lots) for 2 years for West Qurna (Phase 2) the Republic of Iraq”.
Detailed conditions of the Tender and procedures of Bid preparation are set out in the Instructions to Bidders which are enclosed with this letter.
Each Bidder shall sign and return to the Operator its confirmation of its participation in this Tender within three (3) working days in accordance
with requirements described in the Instructions to Bidders, sub-article 1.8.
If the Bidder fails to provide such confirmation within the specified time, the Operator shall stop sending further information on the Tender to this Bidder.
Please address all your questions related to the Tender Documentation by mail, fax or e-mail before April 05, 2016 in strict accordance with the requirements
set out in the Instructions to Bidders and to the contact address and e-mails set out therein.
Unless otherwise instructed by the Operator via Notice to Bidders, envelopes containing Bids shall be delivered before 05:00 p.m. (Dubai time) on June 17, 2016
to the address and in the manner described in the Instructions to Bidders.
Best regards,
Rasul Akhmetshin
Procurement Expert
Procurement Division
LUKOIL International Services B.V. (Dubai Branch)
On the basis of the Service Contract with LUKOIL Mid-East Limited
DPG HQ Building, TECOM
500551, Dubai, UAE
Tel: +971-4-4544025
Fax: +971-4-4544001
E-mail: Rasul.Akhmetshin@lukoil-overseas.com

Or

> Subject: PURCHASE ORDER

Message Body:

Hello,
We have an order of 10000MT, Please kindly check Order details attached in the mail and reply with prices.
Thank you
Regards
Brandon,

Or

> Subject: DHL PARCEL ARRIVAL UPDATE****

> > Or

> Subject: DHL Shipment Alert

Or

> Subject: DHL Shipment Status

Cisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    28 | Updated to report significant activity detected by Cisco Security on September 26, 2016. | — | 2016-September-27
    27 | Updated to report significant activity detected by Cisco Security on August 31, 2016. | — | 2016-September-02
    26 | Cisco Security has detected significant activity on August 13, 2016. | — | 2016-August-15
    25 | Cisco Security has detected significant activity on July 27, 2016. | | 2016-July-27 14:20 GMT
    24 | Cisco Security has detected significant activity on May 25, 2016. | | 2016-May-25 18:51 GMT
    23 | Cisco Security has detected significant activity on May 24, 2016. | | 2016-May-24 20:07 GMT
    22 | Cisco Security has detected significant activity on May 21, 2016. | | 2016-May-23
    21 | Cisco Security has detected significant activity on May 12, 2016. | | 2016-May-16
    20 | Cisco Security has detected significant activity on May 5, 2016. | | 2016-May-13
    19 | Cisco Security has detected significant activity on May 5, 2016. | | 2016-May-05
    18 | Cisco Security has detected significant activity on May 4, 2016. | | 2016-May-05
    17 | Cisco Security has detected significant activity on April 26, 2016. | | 2016-April-28 12:21 GMT
    16 | Cisco Security has detected significant activity on April 26, 2016. | | 2016-April-26 18:57 GMT
    15 | Cisco Security has detected significant activity on April 25, 2016. | | 2016-April-26 13:17 GMT
    14 | Cisco Security has detected significant activity on April 21, 2016. | | 2016-April-21 13:51 GMT
    13 | Cisco Security has detected significant activity on April 13, 2016. | | 2016-April-20 13:18 GMT
    12 | Cisco Security has detected significant activity on April 13, 2016. | | 2016-April-13 14:42 GMT
    11 | Cisco Security has detected significant activity on April 8, 2016. | | 2016-April-08 20:24 GMT
    10 | Cisco Security has detected significant activity on April 6, 2016. | | 2016-April-07 11:38 GMT
    9 | Cisco Security has detected significant activity on March 29, 2016. | | 2016-April-06 13:39 GMT
    8 | Cisco Security has detected significant activity on March 29, 2016. | | 2016-March-31 12:24 GMT
    7 | Cisco Security has detected significant activity on March 15, 2016. | | 2016-March-15 13:36 GMT
    6 | Cisco Security has detected significant activity on February 23, 2016. | | 2016-February-24 12:56 GMT
    5 | Cisco Security has detected significant activity on February 22, 2016. | | 2016-February-22 20:36 GMT
    4 | Cisco Security has detected significant activity on February 4, 2016. | | 2016-February-04 21:02 GMT
    3 | Cisco Security has detected significant activity on February 3, 2016. | | 2016-February-04 13:21 GMT
    2 | Cisco Security has detected significant activity on February 2, 2016. | | 2016-February-03
    1 | Cisco Security has detected significant activity on February 2, 2016. | | 2016-February-02
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products