Threat Outbreak Alert RuleID7930: Email Messages Distributing Malicious Software on September 21, 2016

2016-07-27T13:51:12
ID CISCO-THREAT-47253
Type ciscothreats
Reporter Cisco
Modified 2016-09-21T21:05:21

Description

Medium

Alert ID:

47253

First Published:

2016 July 27 13:51 GMT

Last Updated:

2016 September 21 21:05 GMT

Version:

18

Summary

  • Cisco Security has detected significant activity related to spam email messages distributing malicious software.

Email messages that are related to this threat (RuleID7930 and RuleID7930KVR) may contain the following files:

Name | Size in Bytes | MD5 Checksum
---|---|---
Commercial Invoice PDFattttt.zip / Commercial Invoice PDFattttt.exe | 878,656
| 0x431B4848BDE59EC7155F2C3801B3D6B2

New PO #858-2550049429.zip / New PO #858-2550049429.exe | 761,856
| 0x4510B5242F358D5409B3B8DEF0031B4D

PDFdoc.zip / PDFdoc.exe | 850,432
| 0x7423B808D925B46B3C9074073F620453

PO-DOO2343.jar | 268,079
| 0x076ACBD003F190B9926D14618932F62B
Shippingdocuments.zip / Shippingdocuments.exe | 899,136 | 0xE870E60E0AE415E01F2E0E930EB50EEF
BJFS-PO-16-48.zip / BJFS-PO-16-48.exe | 516,096 | 0x3C258494CA5F2D0278A7E7EAE58BE581
PO -16PO00117.....Our Ref. G-FSM-ORD126619.zip /
PO -16PO00117.....Our Ref. G-FSM-ORD126619.exe | 812,032
| 0x4A4C935B785CA8273EBB0B71DF79C706

Document073116.zip / Document073116.exe | 853,504
| 0x0414F40DB0BE007B6DAF368090558BC6

SPECIFICATION.zip / SPECIFICATION.exe | 1,175,552
| 0xD3C2F2C12160996BD18E690139573E2B

PURCHASING ENQUIRY100003.zip /
PURCHASING ENQUIRY100003.exe | 749,568 | 0x93287BE5B0D95DE464817EB34E92D5C9

Invoice.zip / Invoice.exe | 973,824 | 0x2C34F7541C0BC4FC744D35F16059AA65
PO#76099.jar | 239,132 | 0x467F3C48B5E0B13604E81097E3559907
SHIPMENT DOCUMENTS09.zip /
SHIPMENT DOCUMENTS09.exe | 689,152
| 0xF29AAA0E83106284389ED2FC197107D0
Bl-doc-00768.zip / Bl-doc-00768.exe | 881,664
| 0x5EC128FC8344B81B5878D28AC7BED603

PO_US_110010.Pdf.zip / PO_US_110010.Pdf.exe | Not Available
| 0x6FAC795A4387D943EA2AD7A72A4E6524

P O 835722.zip / P O 835722.scr | 1,024,512
| 0x2F41C4C7F196BA89EC0ED7B4159F6545

SHIPMENTDOCUMENTS.zip / SHIPMENTDOCUMENTS.exe | 466,944
| 0x722FF1DC854C109C7288544DF2B82A7B
swift receipt.zip / swift receipt.exe | 518,144 | 0x2C25205A8D560000EFCC68BEE21F8B58
RFQ NO.PO22.081.6GG pdf.zip (2).zip / PO250816DD.exe | 956,928 | 0x7503D0B59F888BC5D26A10CC324B3E45
Invoice9987609.zip / Invoice9987609.exe | 454,144 | 0x6C8BCAAB685F29FE81041FD88D269BA3
SHIPPINGDOCUMENTS.657454-DHL.zip /
SHIPPINGDOCUMENTS.657454-DHL.exe | 475,136 | 0x0399C628686D6211055B63B52D542430
CONFIRM BANK DETAILS(invoice#14868GHFDCLI NJTDT.zip /
CONFIRM BANK DETAILS(invoice#14868GHFDCLI NJTDT.exe | 1,132,728
| 0x057B44B81BA5C14A4901775396BB02F6

Product Specifications.zip / Product Specifications.exe | 741,888
| 0x9A8794162E9247A7A46585F2FBA60B8B

Payment Invoice.zip / FedEx_Receipt.exe | 204,800
| 0x86D365181502C5EE461F36136E57CB86

Purchase Order (Autoliv Japan Ltd. Tsukuba Plant).zip / Purchase Order (Autoliv Japan Ltd. Tsukuba Plant).exe
| 876,544
| 0x2F5E4D5FBC0A3AFFF6089C869D63BD33
Swift Copy.zip / Swift Copy.pif | 360,448
| 0x45EEC2B73623CF8E8705D13660B459B2

invoices.zip / invoices.exe | 389,632
| 0xFBF07B7C8DE76F24168781456EC114DF

Doc-090801623BC.gz / Doc-090801623BC.exe | 2,592,768
| 0x7400d3de40e7b3dfce8eee8a979baafb

Scandoc120916.jpg.zip / Scandoc120916.jpg.exe | Not Available | 0xE7F38E0F8E2F12F9A0FFABA920322CA6

PO No. 188273553HZ3.zip / PO No. 188273553HZ3.scr | 196,608
| 0x74BA27025FA3A0D5432354ACAA092612

new document.PDF.zip / new document.PDF..exe | 899,136
| 0xF5CE18D757165A790FA010A1982E2792

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: commercial invoice and packing

Message Body:

Dear Sir,
Enclosed please find the amended commercial invoice
and packing list for your kind perusal.
Please advise/ comment.

Or

>
Subject: New PO #858-2550049429

Message Body:

> Hello,
Attached the new p/o.
Please acknowledge acceptance of the orders and advise me the delivery.
Remark: Delivery date stated in PO is date ETA .
Should you have any further queries, please do not hesitate to contact us.
Thanks.
Regards,

> Or

> Subject: Notice(IRA)

Message Body:

Hello,
Did you get my previous email?
I tried a couple of times to send you this file but to no avail.
I was able to attach it using PFD format.
Please view at your earliest convenience.
Regards.

Or

> Subject: Purchase order No :D008-PRT-PO DOO2343

Message Body:

FYI
Kindly acknowledge the receipt of the same and send the proforma
Thanks & regards,

Or

> Subject: SHIPMENT DOCUMENTS

Message Body:

Dear Customer,
FYI
See the attached documents for your information.

Or

> Subject: BIC Coupling BJFS-PO-16-48

Message Body:

Greetings from BIN JABR.
Further to the above subject, we are pleased to
place our order for the supply of BIC COUPLINGS as attached.
Terms & Conditions:-
Delivery: Ex-Works on or before 21st August, 2016.
Payment: 100% upon receipt of below documents.
Documents required:-
1. Country of Origin certificate (attested by Chamber of Commerce)
2. Stamped & Signed Invoice
3. Packing list
4. Warranty Certificate
5. Test certificate, Certificate of Conformance & Agency Approved Certificate
Please send your Proforma Invoice & Order Acknowledgement for processing the payment.
Request you to expedite the production of the COUPLING as its required on urgent basis at the site.
Your early response will be highly appreciated.
Best Regards,

Or

> Subject: Changing MCB's

Message Body:

Dear Rajkumar,
Please confirm when the MCB,s can be change as per the CGC requirement ?
Kind Regards

Or

>
Subject: po#073116

Message Body:

Dear sir,
Kindly find attached PO for your immediate action/Delivery.
Thanks & Best Regards,

Or

>
Subject: SPECIFICATION

Message Body:

Dear sir
There is an urgent need for the goods attached and as a result,
we are interested in purchasing from your company because
our previous supplier appears not to be serious.
Attached is our new order.
Kindly get back to us with your quotation urgently.
Kind Regards,

Or

> Subject: [Fwd: Order Inquiry 100003

Message Body:

Dear Supplier
I would like to find out about your company and your business
activities. Please send me a brochure, product catalogue and price
information.
To know more about our company kindly check attached file for more
details
If you have any questions pls contact me directly
Thanks
Yours sincerely,

Or

> Subject: august order

Message Body:

Greetings,
Please find herewith attached (Our order no 01201) fwd for your kind
consideration and advice the proforma invoice.
As requested kindly make arrangements to deliver the same at the earliest.
with warm regards
Thanks & Regards,

Or

> Subject: New Order Request

Message Body:

Hello sir,
Please find attached New Order request needed by our company.
Please kindly review and send us quotation asap on FOB basis Port Texas
Please treat this matter as urgent because we need goods on urgent basis.
Awaiting your urgent reply.
Best regards

Or

> Subject: SHIPMENT DOCUMENTS.

Message Body:

Dear Customer,
FYI
See the attached documents for your information.
Regards

Or

> Subject: Airway bill document.

Message Body:

Good Morning,
Pls find attached BL draft for your ref,
Kindly check & confirm all the details are in order,
Thanks & Best Regards

Or

> Subject: Purchase Order

Message Body:

Hello,
Please kindly assist to provide a quote for the attached purchase Order
as per Sample Attached Below and also advice the availability of the
Order and delivery date
Waiting to hear from you.

Or

>
Subject: Kindly quote the attached New order

Message Body:

Hello,
Kindly find here under the attached the drawings for your kind review
and use to quote the required New Order
Thank You & Kindest Regards

> ****

Or

> Subject: SHIPMENT DOCUMENT****

Message Body:

**Dear Customer,
FYI*
**See the attached documents for your information.
***

Or

> Subject: Acknowledgement of wire transfer receipt.‏‏

Message Body:

Dear Sir,
Pls. find attached herewith a wire
payement details of lnvoces received
at our end from your
organisation.
In case of any clarifications
relating to receipt of invoice(s), please
contact

Or

> Subject: PO#PO220816GG test

Message Body:

Dear Sir/Madam,
Please find enclosed Purchase order subject as #-PO220816GG-.
Please quote your best price along with your soonest delivery date.
For clarification purposes, please. don’t hesitate to call
Awaiting your immediate response.

Or

> Message Body:

Good day,
Sorry for contacting you with another email, this is our Company new
email,Please find attached invoice for the past months. Remit the new
payment by 31/8/2016 as outlines under our payment agreement.
Best Regards,

Or

> Subject: SHIPMENT DOCUMENT

Message Body:

Dear Customer,
FYI
See the attached documents for your information.
Regards

Or

> Subject: Urgently reconfirm bank details for payment(invoice#14868GHFDCLI NJTDC)

Message Body:

Good Day,
We tried to settle outstanding payment yesterday Friday but
we discovered that the bank details on the revised invoice is different
from the one you gave to us before. Please check the new bank accounts details
on the attached revised invoice and confirm to us again that
it is you that change your bank account so that we can settle your payment asap.
Thanks&Regards

Or

> Subject: Request For Quotation from Antic Kosta

Message Body:

Dear sir/madam,
My name is Dušan Kršanin and
I am purchase manager in "Anti? Kosta" company from Serbia.
We are interested in your products specified in attached.
Please send us a quotation for your products with prices and transport costs
as well as payment terms.
Looking forward to your answer.
Best regards,
****

Or

>
Subject: Invoice Payment Details

Message Body:

Hello,
Please confirm your bank details in the attached invoice for immediate payment,
as suggested by our financial institution.
Will send you remittance copy immediately payment is done by tomorrow.
Sales Manager

Or

>
Subject: Purchase Order (Autoliv Japan Ltd. Tsukuba Plant)

Message Body:

Hello Dear,
Attached I send you our new PO, please send me your PI to schedule the 30% payment..
REMEMBER: The PI and COMMERCIAL INVOICE must be issued to:
INDUSTRIAS BALBUENA Y ASOCIADO SA DE CV
AV ALVARO OBREGON #121 INT 803
COLONIA ROMA NORTE
DEL. CUAUHTEMOC, CIUDAD DE MEXICO, MEXICO
C.P. 06700
RFC: IBA1502065S2
All the shipping documents also must be issue to INDUSTRIAS BALBUENA Y ASOCIADO SA DE CV
Best regards,
****

Or

>

> Subject: TRANSACTION DETAILS

Message Body:

Hi The payment has be made from your customer,
attached is the bank copy please confirm.
Thanks HSBC BANK SWIFT TELLER
****

Or

> Subject: aug. invoices

Message Body:

Good Morning,
Attached is your August invoice please recomfirm to us.
Kind Regards,
****

>

Or

>
Subject: Shipment and Balance[*]

Message Body:

Dear Sir/madam
My colleague is currently on vacation. I am writing you
regarding our latest shipment. Please find the attached
signed PI. Please kindly confirm the bank details in the
attached invoice so that we can proceed with the payment
accordingly. We shall proceed upon your confirmation.
****

Or

> Subject: payment update

Message Body:

dear sir/madam,
Kindly acknowledge our payments as attached and update us on shipment accordingly.
****

Or

> Subject: BC International : Qoutation for PO No. 188273553HZ3

Message Body:

Good Morning,
Please find Attached the new PO No. 188273553HZ3
kindly get back to us with the requested details and your best price ASAP
Thanks

Or

> Subject: New Document

Message Body:

Good day,
Please open the pdf-zip format to see the new document

Cisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    18 | Updated to report significant activity detected by Cisco Security on September 21, 2016. | — | 2016-September-21
    17 | Updated to report significant activity detected by Cisco Security on September 19, 2016. | — | 2016-September-19
    16 | Updated to report significant activity detected by Cisco Security on September 14, 2016. | — | 2016-September-15
    15 | Updated to report significant activity detected by Cisco Security on September 10, 2016. | — | 2016-September-12
    14 | Updated to report significant activity detected by Cisco Security on August 31, 2016. | — | 2016-September-01
    13 | Updated to report significant activity detected by Cisco Security on August 28, 2016. | — | 2016-August-30
    12 | Cisco Security has detected significant activity on August 27, 2016. | — | 2016-August-29
    11 | Cisco Security has detected significant activity on August 22, 2016. | - | 2016-August-23
    10 | Cisco Security has detected significant activity on August 19, 2016. | — | 2016-August-22
    9 | Cisco Security has detected significant activity on August 18, 2016. | — | 2016-August-19
    8 | Cisco Security has detected significant activity on August 9, 2016. | | 2016-August-10
    7 | Cisco Security has detected significant activity on August 8, 2016. | | 2016-August-08
    6 | Cisco Security has detected significant activity on August 3, 2016. | | 2016-August-08
    5 | Cisco Security has detected significant activity on August 3, 2016. | | 2016-August-03 19:41 GMT
    4 | Cisco Security has detected significant activity on August 2, 2016. | | 2016-August-03 12:53 GMT
    3 | Cisco Security has detected significant activity on July 28, 2016. | | 2016-August-01 14:09 GMT
    2 | Cisco Security has detected significant activity on July 28, 2016. | | 2016-July-28 19:07 GMT
    1 | Cisco Security has detected significant activity on July 26, 2016. | | 2016-July-27 13:51 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products