Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Threat Outbreak Alert

Threat Outbreak Alert: Email Messages with Malicious Attachments on December 24, 2013

 
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:31483
Version:14
First Published:2013 October 24 17:34 GMT
Last Published:2013 December 24 16:39 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:Cisco Security Intelligence Operations has detected significant activity on December 24, 2013.
 

Description
 
Cisco Security Intelligence Operations has detected significant activity related to spam email messages that claim to contain an attachment for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID7588, RuleID7588kvr and RuleID7588KVR_1) may contain any of the following files:

PO 5211.zip
PO 5211.exe
PO 6321.zip
PO 6321.exe
PO 4417.zip
PO 4417.exe
PO 3433.zip
PO 3433.exe
VodafoneWillkommen_675173709312.zip
VodafoneWillkommen_093746339221.pdf.exe
PO 0091.zip
PO 0091.exe
To All Employees 2013.zip
To All Employees 2013.exe

Transaction_437335016144.zip
Transaction.exe
Transaction_846991392796.zip
New2837.zip
New2837.exe
INS_Form_1128.zip
INS_Form_1128.exe
ORDER8373.zip
ORDER8373.exe
doc0002.zip
doc0002.exe
Vodafone-16122013025394.zip
Vodafone-16122013876004.pdf.exe
Case 463252349343.zip
Case 463252349343.exe
Label_921430451583.zip
Label_12192013.exe

The PO 5211.exe file in the PO 5211.zip attachment has a file size of 653,312 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x718DB447791896F26C8A33DE85A7FE53

The PO 6321.exe file in the PO 6321.zip attachment has a file size of 478,328 bytes. The MD5 checksum is the following string: 0x1A4FD909F92DFE634D5D75910BEF9D99

The PO 4417.exe file in the PO 4417.zip attachment has a file size of 719,872 bytes. The MD5 checksum is the following string: 0xF02496166A8DC12EBA227BDD3D0B7BF3

The PO 3433.exe file in the PO 3433.zip attachment has a file size of 719,872 bytes. The MD5 checksum is the following string: 0xBFD9188457886905A1FEBED27C9245B1

The VodafoneWillkommen_093746339221.pdf.exe file in the VodafoneWillkommen_675173709312.zip attachment has a file size of 235,833 bytes. The MD5 checksum is the following string: 0x3F3E507A315414B8ED91D54D9531E25B

The PO 0091.exe file in the PO 0091.zip attachment has a file size of 607,232 bytes. The MD5 checksum is the following string: 0xD653FD33A76C70330741F9D6333CAE5C

The To All Employees 2013.exe file in the To All Employees 2013.zip attachment has a file size of 19,968 bytes. The MD5 checksum is the following string: 0x4556D703CFA148E1B7E0EC9C98439197

The Transaction.exe file in the Transaction_437335016144.zip attachment has a file size of 12,288 bytes. The MD5 checksum is the following string: 0xE2F31930AFC21B04B110900D7912F00A

A variant of the To All Employees 2013.exe file in the To All Employees 2013.zip attachment has a file size of 13,312 bytes. The MD5 checksum is the following string: 0xA235A041627E0A35F9659CF960E14FF9

A variant of Transaction.exe file in the Transaction_846991392796.zip attachment has a file size of 14,848 bytes. The MD5 checksum is the following string: 0xE85AD4B09201144ACDC04FFC5F708F03

The New2837.exe file in the New2837.zip attachment has a file size of 331,929 bytes. The MD5 checksum is the following string: 0x2F26F932A344759C28E471033A1AAA07

The INS_Form_1128.exe file in the INS_Form_1128.zip attachment has a file size of 20,992 bytes. The MD5 checksum is the following string: 0x7AC89C9361A072E7FEDA29D02DBD9EB4

The ORDER8373.exe file in the ORDER8373.zip attachment has a file size of 332,800 bytes. The MD5 checksum is the following string: 0x682A829DA1A9E76604C7C77A666E087B

The doc0002.exe file in the doc0002.zip attachment has a file size of 505,412 bytes. The MD5 checksum is the following string: 0x75403737119F902DE32B309B794DA4F5

The Vodafone-16122013876004.pdf.exe file in the Vodafone-16122013025394.zip attachment has a file size of 342,016 bytes. The MD5 checksum is the following string: 0x90E751472036CDD18AC88809EE77F0

The Case 463252349343.exe file in the Case 463252349343.zip attachment has a file size of 14,848 bytes. The MD5 checksum is the following string: 0x875CF5FA804AA30CEA1BA91C223C3E8B

The Label_12192013.exe file in the Label_921430451583.zip attachment has a file size of 16,384 bytes. The MD5 checksum is the following string: 0x8A46C20D4DBED04DA5BC80E1DAB6E48F


A third variant of the To All Employees 2013.exe file in the To All Employees 2013.zip attachment has a file size of 12,288 bytes. The MD5 checksum is the following string: 0x424840BEC7FAD79E8FFDBBCA5E74F945

The following text is a sample of the email message that is associated with this threat outbreak:

Message Body:

Good Day,
Please with the attached swift kindly arrange our P.O asap
and confirm to me about the delivery status asap.
Awaiting your reply.
Thank you in advance.

Or

Message Body:

Dear sir,
Please go through our attached Qoutation and Samples of your product attach to this mail and send us the following your Best Price, Payment Terms, Period of production as soon as possible, because we want to place order immediately.
Note: If you have new products, do not hesitate to send us samples.
Thanks.
AntonÏn Pavel Gronych
(Purchasing Manager)

Or

Message Body:

Dear Sir,
We have made payment for P.O. #6616-R4 > invoice #TN-1307011
See attached report from our bank.
Please do Telex release for shipment,
and send us copy of the Surrendered OBL
Kindly advise if you can make this shipment
before date 10/14
Thank you and best regards,
Leon Lin

Or

Subject: Message copied from system quarantine

Message Body:

Lieber,
vielen Dank für Ihren Auftrag. Dieser befindet sich zur Zeit in Bearbeitung. Alle weiteren Details finden Sie in der PDF-Datei im Anhang.
Zum Lesen und Ausdrucken benötigen Sie den Adobe Acrobat Reader.
Falls Sie das Programm nicht auf dem Rechner haben, können Sie es hier kostenlos herunterladen:
hxxp: //www.adobe.de/products/acrobat/readstep2.html
Bitte berücksichtigen Sie, dass dies eine automatisch erstellte E-Mail ist und Sie über diesen Weg keine weitere Anfrage oder Antwort an uns richten können. Wenn Sie uns antworten möchten,
nutzen Sie bitte die Kontaktmöglichkeiten auf hxxp://dsl.vodafone.de.
Übrigens, unter hxxp://www.vodafone.de/meinvodafone können Sie rund um die Uhr unseren kostenlosen Online-Kundenservice erreichen. Testen Sie einfach und bequem die vielfältigen
Möglichkeiten:
Informieren Sie sich über unsere Produkte, Tarife oder Ihre Rechnung.
Fragen Sie den Bearbeitungsstand Ihrer laufenden Aufträge ab.
Verwalten Sie selbst ihre Kunden- und Zugangsdaten.
Nutzen Sie bei Fragen die umfangreiche Hilfefunktion.
Melden Sie sich einfach mit Ihrem persönlichen Online-Benutzernamen und Ihrem Online-Passwort an!
Mit freundlichen Grüßen
Ihr Vodafone-Team
Vodafone D2 GmbH
Die gesetzlichen Pflichtangaben finden Sie unter www.vodafone.de/pflichtangaben

Or

Subject: Fwd: NEW SHIPMENT FROM #0091 CONSIGNEE:BAN CHANG HARDWARE (BRASSWARE) CO., LTD

Message Body:

Please see in Enclosed attached a New order to ship on 25TH January.
Also in attached there are barcode details.
But we also would like to order some new items. Can you please see in attached with your codes, and fill unit cost; quantity by inner and by master with FOB Taiwan pricing.
Best Regards,
Ryan Wang

Or

Message Body:

DocuSign Logo
Your document has been completed
Sent on behalf of administrator@spamcop.net.
All parties have completed the envelope 'Please DocuSign this document: To All Employees 2013.doc'.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to spamcop.net
LEARN MORE: New Features | Tips & Tricks | Video Tutorials
DocuSign. The fastest way to get a signature.
If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process,
you can email support.
This message was sent to you by administrator@spamcop.net who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the
sender with your request.

Or

Subject: Response to Delivered Fax

Message Body:

The attached mail was received in response to a Fax2Mail user
for which you are listed as an administrator.
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #437335016144
This email has been sent from an automated system.
PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

Or

Subject: ADP - Reference #846991392796

Message Body:

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #846991392796
This email has been sent from an automated system.
PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

Or

Message Body:

Please find attached scanned order and give me your best price with the below details
Also give me your phone number so I can reach you from China.
Thanks,
Joy Habba.
Product Manager

Or

Subject: Royal Mail Shipping Advisory, Thu, 28 Nov 2013

Message Body:

Royal Mail Logo
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Mon, 28 Nov 2013 15:43:14 +0530, REF# 5646597645
SHIPMENT CONTENTS: Insurance Form
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Royal Mail Group Ltd 2013. All rights reserved

Or

Subject: New Order

Message Body:

Please find attached scanned order and give me your best price with the below details
Also give me your phone number so I can reach you from China.
Thanks,
Mary Paul
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing client engagement letter.

Cisco Security Intelligence Operations analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security Intelligence Operations
Cisco SenderBase Security Network
 
Alert History
 

Version 13, December 20, 2013, 8:19 AM: Cisco Security Intelligence Operations has detected significant activity on December 19, 2013.

Version 12, December 17, 2013, 9:57 AM: Cisco Security Intelligence Operations has detected significant activity on December 15, 2013.

Version 11, December 9, 2013, 2:49 PM: Cisco Security Intelligence Operations has detected significant activity on December 8, 2013.

Version 10, December 3, 2013, 12:44 AM: Cisco Security Intelligence Operations has detected significant activity on November 28, 2013.

Version 9, November 27, 2013, 4:26 PM: Cisco Security Intelligence Operations has detected significant activity on November 27, 2013.

Version 8, November 22, 2013, 5:38 PM: Cisco Security Intelligence Operations has detected significant activity on November 20, 2013.

Version 7, November 18, 2013, 10:34 PM: Cisco Security Intelligence Operations has detected significant activity on November 18, 2013.

Version 6, November 18, 2013, 4:51 PM: Cisco Security Intelligence Operations has detected significant activity on November 15, 2013.

Version 5, November 13, 2013, 4:55 PM: Cisco Security Intelligence Operations has detected significant activity on November 12, 2013.

Version 4, November 6, 2013, 3:59 PM: Cisco Security Intelligence Operations has detected significant activity on November 5, 2013.

Version 3, October 29, 2013, 2:58 PM: Cisco Security Intelligence Operations has detected significant activity on October 28, 2013.

Version 2, October 28, 2013, 3:15 PM: Cisco Security Intelligence Operations has detected significant activity on October 28, 2013.

Version 1, October 24, 2013, 5:34 PM: Cisco Security Intelligence Operations has detected significant activity on October 24, 2013.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield