Threat Outbreak Alert RuleID23364: Email Messages Distributing Malicious Software on July 6, 2016

2016-06-09T13:45:17
ID CISCO-THREAT-46623
Type ciscothreats
Reporter Cisco
Modified 2016-07-06T19:09:30

Description

Medium

Alert ID:

46623

First Published:

2016 June 9 13:45 GMT

Last Updated:

2016 July 6 19:09 GMT

Version:

6

Summary

  • Cisco Security has detected significant activity related to spam email messages distributing malicious software.

Email messages that are related to this threat (RuleID23364 and RuleID23364KVR) may contain the following files:
.
Name | Size in Bytes | MD5 Checksum
---|---|---
DOC000129.zip / DOC000129.exe | 657,408
| 0x217BD0662A1D3AB366D5B82499925C68

DOC00909806.zip / DOC00909806.exe | 778,240 | 0x5C9C44DC9AD39205E5BE0C0995B48208
PO#703362.zip / PO#703362.exe | 648,192 | 0x624C7D3142BC1E81AC20FE5C08F40AEF
PO#022129.zip / PO#022129.exe | 639,488 | 0x60ECA40095BD7574DC040C1439220E05
PO101451.zip / PO101451.exe | 665,088 | 0xC53BD115DD14A6ABAA6FAEA724777617
PO67564324.zip / 1_outputCA0A86F.exe
| 225,280
| 0x9119D3AB2156CE9E473BCA1DC3F9ED59

PI#ZD160608.zip / PI#ZD160608.exe | 475,136
| 0x95C63D014A0DA702F2B37FABD7908286

PO203518402.zip / po.exe | 637,952
| 0x9559F7D79FA0CF534B0FB1BC8BE4E3DA

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: Our Pending Order

Message Body:

Dear Sirs,
I am sending you attached the copy of the swift for
deposit we effected covering your Proforma invoice:
At amount of $61,305.12 USD
Shipment of this order must be before 30/05/2016.
Transporting Company: 3
Consolidation Information:
Anti-dumping Information: NO
Please also find the attached files, "TRANSPORTING COMPANY DETAILS",
"DOCUMENTS REQUIRED", and "PAYMENTS NEW POLICY". Please contact the
transporting company and make your booking on time.( ATTENTION: WHEN
YOU PLACE BOOKING ALWAYS GIVE THE PROFORMA INVOICE NUMBER.)
After shipment in order to proceed with the arrangement of your payment
on time, you must send us by e-mail within 5 days the final shipping documents.
The Invoice and Packing List must have your company colored (red or blue) stamp
and authorized signature. We would like to inform you that in case shipping
documents will not arrive to our hands before the arrival of the cargo to Piraeus
port, you will bear all the cost that will be created by the customs warehouses as
well any cost of demurrages of shipping lines.
Best Regards

Or

> Subject: Order

Message Body:

Dear Customer,
Unfortunately we failed to deliver the postal package which was sent DHL
on time because the addressee's address is not correct.

Or

> Subject: PO#703362

Message Body:

Hello,
Revised Order List attached.
Kindly send full price detail ASAP

Or

> Subject: PO#022129

Message Body:

Hello,
Attached please find the Purchase Order No.
We will send you the Payment Slip within a
few day.
Best Regards,

Or

> Subject: REQUEST FOR QUOTATION

Message Body:

Hi,
Hope you are doing well.
I was wondering if you got a chance to review my previous email.
Understandably, you must have been running a very busy schedule and could not connect earlier.
Let me know if you could send us your best price offer for the PO101451
As attached.
Pls advise us Asap
REGARDS
Joseph A. Dixon
(Purchasing Manager)
Italian Wine & Trading Co.,ltd
Via Postumia di Levante, 47
35013 CITTADELLA (PD) ITALY
Tel. +39 049 5971877
Fax +39 049 9400650
E-mail: lnfo@wineitalia.com

Or

> Message Body:

Este correo no ha pasado el Filtro SPF.
Verifique la autenticidad del remitente y tenga cuidado al abrir este mensaje.
SPF (Convenio de Remitentes, del inglés Sender Policy Framework) es una protección contra la falsificación de direcciones en el envío de correo electrónico.
Identifica, a través de los registros de nombres de dominio (DNS), a los servidores de correo SMTP autorizados para el transporte de los mensajes....
Dear Sir,
This is Mellisa from West Coast Middle East General Trading company
Please find new attached request for Steel and steel realated product (Crude Steel,Grade Steel, Stainless Steel
Steel Casting). Please provide me with Performa Invoice considering following terms till 12.04.2015.
1. Valid Performa Invoice
2. Subject Title:
3. FOB Price
4. Net and Gross weight.
5. Type of Packing.
6. Standard Code of item.
7. Custom Tariff No.
8. Port and country of loading.
9. Type of Transportation
10. Total Description of Goods.
11. Price of each item separately included no. of it and unit price.
12. Delivery; EXW Dubai
13. Country of origin and Seller country.
14. Method of payment.
15. Minimum Delivery Time.
16. Currency : USD or Euro
17. Your bank details.
18. Validity of offer.
19. All of the extra cost (Packing, Documentation,.., etc.) shall be included within price quoted.
20. PI in Favor of WCT duly signed and stamped.
21. Testing and Inspection Conditions /Standards
Your prompt reply would be highly appreciated in advance.
I look forward to hearing from you soon.
Best regards,
Mellisa Hobs
Procurement department
--------------------------------------
West Coast Middle East LLC
Level 41 Emirates Towers
Po Box 31303
Sheikh Zayed Road, Dubai
United Arab Emirates
Tel: +971 4 313 2986
Fax: +971 4 313 2987
Website: www.westcoasttrading.ca

Or

> Subject: Quotation RFP1#ZD160608

Message Body:

Dear Sir/Madam,
Attached is our new po, Please send us the
order confirmation with delivery details and
prepare our Invoice for payment. If you need
additional information, please contact us.
Best Regards.

Or

> Subject: RE:RE: Purchase Order

Message Body:

Dear Sir,
Please find attached our Purchase Order for July 2016.
Kindly send us Order acknowledgement dully signed so we can prepare for
down payment immediately.
Note, delivery must be completed before mid August so we can meet up
to our customer's demands.
Please let us know if you are unable to ship early so we can make other
arrangements.
Thanks and Best Regards,

Cisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    6 | Cisco Security has detected significant activity on July 6, 2016. | | 2016-July-06 19:09 GMT
    5 | Cisco Security has detected significant activity on June 29, 2016. | | 2016-June-30 11:23 GMT
    4 | Cisco Security has detected significant activity on June 16, 2016. | | 2016-June-16 14:16 GMT
    3 | Cisco Security has detected significant activity on June 16, 2016. | | 2016-June-16 12:46 GMT
    2 | Cisco Security has detected significant activity on June 11, 2016. | | 2016-June-13 12:19 GMT
    1 | Cisco Security has detected significant activity on June 9, 2016. | | 2016-June-09 13:45 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products