Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Threat Outbreak Alert

Threat Outbreak Alert: Fake Financial Documents Email Messages on July 21, 2014

 
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:33438
Version:24
First Published:2014 March 20 19:46 GMT
Last Published:2014 July 23 14:50 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:Cisco Security Intelligence Operations has detected significant activity on July 21, 2014.
 

Description
 
Cisco Security Intelligence Operations has detected significant activity related to Portuguese-language spam email messages that claim to contain an invoice for the recipient. The text in the email message attempts to convince the recipient to open the attachment to view the invoice. However, the .zip attachment contains a malicious .cpl file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID9280 and RuleID9280KVR) may contain the following files:

NF-Eletronica.zip
Nota fiscal pdf.cpl
Deposito em Conta corrente.zip
Deposito em Conta corrente.cpl
Segunda-Via-Cobrança.zip
Segunda-Via-Boleto.cpl
Nota-Fiscal-PDF.zip
Nota-Fiscal-Eletronica.cpl
2Via-Boleto.doc.zip
2Via-Boleto.doc.cpl
NOTA-FISCAL-ELETRONICA.zip
NF-PDF.cpl
CURRICULO.zip
CURRICULO_VITAE_OUTLOOK_7383J2L2.cpl
Nota-Fiscal-Pdf.cpl
NFS-e - Nota Fiscal.Dpf.zip
NFS-e - Nota Fiscal.Dpf.cpl
2ViaBoleto.zip
2ViaBoleto.cpl
Boleto.zip
Boleto.cpl
Boleto-Eletronico.zip
Segunda-Via-Boleto-PDF.cpl
Comprovante.zip
Comprovante.cpl
Nota-Fiscal-PDF.zip
NF-e ELETRONICA.zip
NF-e ELETRONICA.cpl
Mensagem De Voz Facebook.zip
Mensagem De Voz Facebook.cpl
Oito beneficios.zip
Oito beneficios.cpl
deposito.pdf____.cpl
AcertoPendencias.zip
AcertoPendencias.cpl
Boleto_2Via.Documento.zip
Boleto_2Via.Documento.cpl

The Nota fiscal pdf.cpl file in the NF-Eletronica.zip attachment has a file size of 741,888 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xA5369A50FD2C827AC9BEAAC5089752F6

The Deposito em Conta corrente.cpl file in the Deposito em Conta corrente.zip attachment has a file size of 635,392 bytes. The MD5 checksum is the following string: 0x123605D8BE64F725A2A8ABC720868459

A variant of the Deposito em Conta corrente.cpl file in the Deposito em Conta corrente.zip attachment has a file size of 635392 bytes. The MD5 checksum is the following string: 0x0B640FBD5FF38CA62333DEA592D22754

A third variant of the Deposito em Conta corrente.cpl file in the Deposito em Conta corrente.zip attachment has a file size of 635,392 bytes. The MD5 checksum is the following string: 0xA9BE181ABD2DDF93249E025B6C52585A

A fourth variant of the Deposito em Conta corrente.cpl file in the Deposito em Conta corrente.zip attachment has a file size of 635,392 bytes. The MD5 checksum is the following string: 0x64DEAB450D55F7A884A4A4AC67C4014B

A fifth variant of the Deposito em Conta corrente.cpl file in the Deposito em Conta corrente.zip attachment has a file size of 635,392 bytes. The MD5 checksum is the following string: 0x8D4512AF6E5BCAADE5A5FEB448A94D16

The Segunda-Via-Boleto.cpl file in the Segunda-Via-Cobrança.zip attachment has a file size of 748,032 bytes. The MD5 checksum is the following string: 0x303B4439F6265F58364B0761D68CD403

The Nota-Fiscal-Eletronica.cpl file in the Nota-Fiscal-PDF.zip attachment has a file size of 748,032 bytes. The MD5 checksum is the following string: 0x571D4B27F6FF529CFE0E75BBD5CF6451

A sixth variant of the Deposito em Conta corrente.cpl file in the Deposito em Conta corrente.zip attachment has a approximate file size of 240,732 bytes. The MD5 checksum is the following string: 365633554fe683cfe9c20455ef588a1f

The 2Via-Boleto.doc.cpl in the 2Via-Boleto.doc.zip file has a file size of 264,192 bytes.The MD5 checksum is the following string: 0xBEF608A54B99D13B5E1B8133660E5EE4

The NF-PDF.cpl in the NOTA-FISCAL-ELETRONICA.zip file has a file size of 742,400 bytes.The MD5 checksum is the following string: 0xB5D004D96B92CFB2327E7127097CAB7B

A variant of the NF-PDF.cpl in the NOTA-FISCAL-ELETRONICA.zip file has a file size of 742,400 bytes.The MD5 checksum is the following string: 0x63D7E64752CF18B9093F21A7AA154641

A third variant of the NF-PDF.cpl in the NOTA-FISCAL-ELETRONICA.zip file has a file size of 742,400 bytes.The MD5 checksum is the following string: 0x839DDFA948AA948CFB8FFBF928510DA5


The CURRICULO_VITAE_OUTLOOK_7383J2L2.cpl in the CURRICULO.zip file has an approximate file size of 425,605 bytes. The MD5 checksum is the following string: d9bfdaaaf03afaf1b76afce1055f2d81

The Nota-Fiscal-Pdf.cpl file in the Nota-Fiscal-Eletronica.zip attachment has a file size of 1,521,152 bytes. The MD5 checksum is the following string: 0x21A19D16CDE6CA44C024D88E0751A2C1

The NFS-e - Nota Fiscal.Dpf.cpl file in the NFS-e - Nota Fiscal.Dpf.zip attachment has a file size of 522,240 bytes. The MD5 checksum is the following string: 0xF18D59920D8967FE78CA2A1A910A27DD

The 2ViaBoleto.cpl in the 2ViaBoleto.zip file has an approximate file size of 1,359,872 bytes. The MD5 checksum is the following string: 0x7554CFA046B61C5A03F51E7179564414

The Boleto.cpl file in the Boleto.zip attachment has a file size of 311,296 bytes. The MD5 checksum is the following string: 0xD39EB24B8A5F2B34FC3E06C4298C2555

The Segunda-Via-Boleto-PDF.cpl file in the Boleto-Eletronico.zip attachment has a file size of 960,512 bytes. The MD5 checksum is the following string: 0xABF4A4BAEA717D97DBADE539D323D3AE

The Comprovante.cpl file in the Comprovante.zip attachment has a file size of 173,568 bytes. The MD5 checksum is the following string: 0xEC0748BA7CD464B1163142ADA1EF1DE5

A variant of Nota-Fiscal-PDF.cpl file in the Nota-Fiscal-PDF.zip attachment has a file size of 897,536 bytes. The MD5 checksum is the following string: 0xCCCF91AEED617DB4E553BAF239DF61DD

A third variant of Nota-Fiscal-PDF.cpl file in the Nota-Fiscal-Eletronica.zip attachment has a file size of 897,536 bytes. The MD5 checksum is the following string: 0x51BD1B04E173D8D454009D570F882BC2

The NF-e ELETRONICA.cpl file in the NF-e ELETRONICA.zip attachment has a file size of 152,576 bytes. The MD5 checksum is the following string: 0xE08E4B00E8937C33163A81C1E623EE5F

The Mensagem De Voz Facebook.cpl file in the Mensagem De Voz Facebook.zip attachment has a file size of 110,592 bytes. The MD5 checksum is the following string: 0xEC7E49B669B57D45DD25048B550F8106

A variant of Boleto.cpl file in the Boleto.zip attachment has a file size of 748,032 bytes. The MD5 checksum is the following string: 0xF0F29BB28F4FA201D1F7487AAE255DEF

A third variant of Boleto.cpl file in the Boleto.zip attachment has a file size of 800,768 bytes. The MD5 checksum is the following string: 0xEAF632DFAF3012785871E88B9E02A504

The Oito beneficios.cpl file in the Oito beneficios.zip attachment has a file size of 105,472 bytes. The MD5 checksum is the following string: 0x4C4124BE7E6CFD7D2408B9E1D0D3D1F7

The deposito.pdf____.cpl file in the comprovante.zip attachment has a file size of 498,176 bytes. The MD5 checksum is the following string: 0xE4FCF86C0522C48C0B45F9B16F701203

The AcertoPendencias.cpl file in the AcertoPendencias.zip attachment has a file size of 687,616 bytes. The MD5 checksum is the following string: 0x83D7C8D58AFB64AC041DF2028F615560


The Boleto_2Via.Documento.cpl file in the Boleto_2Via.Documento.zip attachment has a file size of 508,928 bytes. The MD5 checksum is the following string: 0x0CD3943232BD598053FA35C3FE9F2327

The following text is a sample of the email message that is associated with this threat outbreak:

Subject: Como solicitado.

Message Body:

Segue anexo:Nota fiscal de serviços prestados. JM Financeira.

Or

Subject: Deposito em Conta Confirmado.

Message Body:

Segue em anexo o comprovante de deposito em conta.
Pedimos que confira seus dados e verifique se todas informacoes
estao corretas.
Att.

Or

Subject: Confirmacao de Deposito em conta.

Message Body:

Segue em anexo o comprovante de deposito em conta.
Pedimos que confira seus dados e verifique se todas informacoes
estao corretas.
Att.
Daniel Vilela.
Dept. Financeiro.

Or

Message Body:

Reenvio de Cobrança. Conforme solicitado segue o anexo do boleto de cobrança. Pedimos que confirme seus dados juntamente ao boleto e verifique se todas as informações estão corretas.

Or

Message Body:

Prezado Cliente: Conforme solicitado, segue o Anexo da 2? via da fatura em atraso com vencimento para 20/04/2014 Atenciosamente, WS Empresarial

Or

Subject: Segue em anexo a cópia da NOTA FISCAL em PDF

Message Body:

Segue em anexo a cópia da NOTA FISCAL em PDF onde está a relação dos pedidos e demais detalhes do pagamento. Informamos que o valor foi debitado com sucesso! Qualquer dúvida em relação aos pedidos entrar em contato conosco que explicaremos! Sp Net LTDA agradecemos a preferência! Atenciosamente, gloria freitas Santos Setor Financeiro.

Or

Subject: Financeiro

Message Body:

Este arquivo deve ser armazenado. Nota Fiscal PDF Nº 8530071 Nota-Fiscal-Emitida.PDF Prezado(a) cliente, Segue em anexo a cópia da NOTA FISCAL em PDF onde está a relação dos pedidos e demais detalhes do pagamento. Informamos que o valor foi debitado com sucesso! Qualquer dúvida em relação aos pedidos entrar em contato conosco que explicaremos! Cobranças

Or

Subject: Nota Fiscal Eletrônica recebida - NF-e 767 - Série 0

Message Body:

Bom Dia !
Conforme contato anterior segue em anexo notas fiscais .
NF-eletronica-08/05/2014
Ruth Alves
Alfa Ltda
Setor Comercial

Or

Message Body:

Prezado Cliente: Conforme solicitado, segue o Anexo da 2? via da fatura em atraso com vencimento para 20/05/2014 Atenciosamente, TYU- Empresarial

Or

Subject: Boleto Bancário

Message Body:

Prezado cliente,
Até o presente momento não identificamos o pagamento do Boleto do Acordo firmado.
O boleto com vencimento para hoje segue em anexo.
Gostaria de ressaltar que esta é a última oportunidade para pagamento sem custas processuais.
Caso já tenha efetuado o pagamento favor desconsiderar este mensagem
Obrigada.

Or

Message Body:

Prezado Cliente.
Reenvio de Cobrança.
Conforme solicitado segue o anexo do boleto de cobrança.
Pedimos que confirme seus dados juntamente ao boleto e verifique se todas as informações estão corretas.
Aguardamos o pagamento do boleto. Caso não efetuar o pagamento na data de vencimento do boleto
acarretará multa e juros de mora de 2% (dois por cento) ao Dia.
Atenciosamente.
Pedro Lima Vasconçelos.
Financeiro.
- Assessoria Jurídica e Cobranças LTDA.
CNPJ 41.368.008/9624-23

Or

Subject: Voce Recebeu Uma Mensagem de Voz

Or
Subject: Fwd: Negociação Pendente

Message Body:

Fernando Nakade
Coordenador TI
Caramuru Alimentos S.A.
Via Expressa Júlio Borges de Souza, 4240 - B. Nossa Senhora da Saúde
Cisco Security Intelligence Operations analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security Intelligence Operations
Cisco SenderBase Security Network
 
Alert History
 

Version 23, July 17, 2014, 8:32 AM: Cisco Security Intelligence Operations has detected significant activity on July 15, 2014.

Version 22, July 14, 2014, 8:56 AM: Cisco Security Intelligence Operations has detected significant activity on July 13, 2014.

Version 21, July 8, 2014, 10:44 AM: Cisco Security Intelligence Operations has detected significant activity on July 7, 2014.

Version 20, July 7, 2014, 8:47 AM: Cisco Security Intelligence Operations has detected significant activity on July 3, 2014.

Version 19, July 1, 2014, 10:36 AM: Cisco Security Intelligence Operations has detected significant activity on June 28, 2014.

Version 18, June 5, 2014, 8:52 AM: Cisco Security Intelligence Operations has detected significant activity on June 4, 2014.

Version 17, June 4, 2014, 10:19 AM: Cisco Security Intelligence Operations has detected significant activity on June 3, 2014.

Version 16, May 30, 2014, 11:54 PM: Cisco Security Intelligence Operations has detected significant activity on May 30, 2014.

Version 15, May 28, 2014, 8:54 AM: Cisco Security Intelligence Operations has detected significant activity on May 27, 2014.

Version 14, May 21, 2014, 8:28 AM: Cisco Security Intelligence Operations has detected significant activity on May 19, 2014.

Version 13, May 12, 2014, 8:27 AM: Cisco Security Intelligence Operations has detected significant activity on May 9, 2014.

Version 12, May 1, 2014, 7:47 AM: Cisco Security Intelligence Operations has detected significant activity on April 30, 2014.

Version 11, April 22, 2014, 11:37 AM: Cisco Security Intelligence Operations has detected significant activity on April 21, 2014.

Version 10, April 14, 2014, 9:22 AM: Cisco Security Intelligence Operations has detected significant activity on April 11, 2014.

Version 9, April 10, 2014, 10:28 AM: Cisco Security Intelligence Operations has detected significant activity on April 8, 2014.

Version 8, April 4, 2014, 9:55 AM: Cisco Security Intelligence Operations has detected significant activity on April 3, 2014.

Version 7, April 2, 2014, 9:10 AM: Cisco Security Intelligence Operations has detected significant activity on April 1, 2014.

Version 6, April 1, 2014, 9:10 AM: Cisco Security Intelligence Operations has detected significant activity on March 31, 2014.

Version 5, March 31, 2014, 9:13 AM: Cisco Security Intelligence Operations has detected significant activity on March 28, 2014.

Version 4, March 28, 2014, 10:05 PM: Cisco Security Intelligence Operations has detected significant activity on March 27, 2014.

Version 3, March 28, 2014, 9:11 AM: Cisco Security Intelligence Operations has detected significant activity on March 27, 2014.

Version 2, March 27, 2014, 10:12 AM: Cisco Security Intelligence Operations has detected significant activity on March 26, 2014.

Version 1, March 20, 2014, 3:46 PM: Cisco Security Intelligence Operations has detected significant activity on January 30, 2014.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield