Threat Outbreak Alert: Fake Invoice Statement Attachment E-mail Messages on May 22, 2013
Threat Type:
IntelliShield: Threat Outbreak Alert
IntelliShield ID:
27077
Version:
20
First Published:
2012 October 01 21:39 GMT
Last Published:
2013 May 23 13:02 GMT
Port:
Not Available
Urgency:
Possible Use
Credibility:
Confirmed
Severity:
Mild Damage
Version Summary:
Cisco Security Intelligence Operations has detected significant activity on May 22, 2013.
Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain an invoice statement for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID4626 and RuleID4626KVR) may contain any of the following files:
The Invoice_AA-N999278482.exe file in the Invoices-28-2012.zip attachment has a file size of 100,864 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x19F481447E1ADF70245582D4F4F5719C
The Invoices_12_N88283.exe file in the Invoice_N0345.zip attachment has a file size of 90,112 bytes. The MD5 checksum is the following string: 0x3A8CE3D72B60B105783D74DBC65C37A6
The Invoice_10302012_MK938.exe file in the Invoice_j5898320.zip attachment has a file size of 91,136 bytes. The MD5 checksum is the following string: 0x3D919E36029CC92724A7B9915ABD8075
The Invoice_URGN-889289.exe file in the Invoice.zip attachment has a file size of 87,040 bytes. The MD5 checksum is the following string: 0xA5C8FB478FF7788609863B83079718EC
The Invoice_1010732785.exe file in the Invoice.zip attachment has a file size of 559,104 bytes. The MD5 checksum is the following string: 0x212C44B8C955CA09277DD0B9B2D0A505
The invoice.exe file in the PURCHASE ORDER.zip attachment has a file size of 270,336 bytes. The MD5 checksum is the following string: 0x563857AE240C2970B20D8335AC95A375
A variant of invoice.exe file in the invoice.zip attachment has a file size of 263,168 bytes. The MD5 checksum is the following string: 0x2884CEC7424D31B443ADEEB7777E080C
The Invoice_QuickBooks_02_22_2013.exe file in the Invoice_QuickBooks_02_22_2013.zip attachment has a file size of 138,752 bytes. The MD5 checksum is the following string: 0xEB22580EFF7737A5DC3E822F917D37E7
The Invoices_APO2888302.doc.exe file in the Invoices.zip attachment has a file size of 114,688 bytes. The MD5 checksum is the following string: 0xA302F44D356398BB57420C14F00F3C31
The Invoice_98298997397.exe file in the Invoice_5549855.zip attachment has a file size of 135,168 bytes. The MD5 checksum is the following string: 0x1039792C2A0289C495002DDA79C13429<
The INVOICE_28781731.exe file in the INVOICE_28781731.zip attachment has a file size of 110,080 bytes. The MD5 checksum is the following string: 0xB193683BCA09B396E1161B2D21AD9D63
The Invoice_1882384.exe file in the Invoice_1882384.zip attachment has a file size of 131,584 bytes. The MD5 checksum is the following string: 0xE2231EA5E0C6EC3F4C555B75534E4708
The INVOICE_1892891.exe file in the INVOICE_1892891.zip attachment has a file size of 137,216 bytes. The MD5 checksum is the following string: 0x89705D9BB8A613A72A0E0ABFC41FBFC4
The invoice copy.exe file in the invoice copy.zip attachment has a file size of 326,656 bytes. The MD5 checksum is the following string: 0x406B950D0B16CD32172CC3F2BEC5AFA6
A variant of the invoice copy.exe file in the invoice copy.zip attachment has a file size of 331,776 bytes. The MD5 checksum is the following string: 0xEBDCD7B8468F28932F235DC7E0CD8BCD
The invoice copy(2).exe file in the invoice copy(2).zip attachment has a file size of 328,704 bytes. The MD5 checksum is the following string: 0x47B67048F5B7E48580D182ADABCC35AB
The Invoice_18803891.exe file in the Invoice_18803891.zip attachment has a file size of 133,120 bytes. The MD5 checksum is the following string: 0x0CC5C7105E02E50BBA85952F8BB9385B
A variant of the invoice copy (2).exe file in the invoice copy.zip attachment has a file size of 329,728 bytes. The MD5 checksum is the following string: 0x4E7DC191117A6F30DD429CC619041552
The invoice copy(4).exe file in the invoice copy(4).zip attachment has a file size of 343,040 bytes. The MD5 checksum is the following string: 0xA29EE1EC187CCBE93371F3C862EAB94F
A third variant of the invoice copy.exe file in the invoice copy.zip attachment has a file size of 332,800 bytes. The MD5 checksum is the following string: 0x3FC97BE8CF8E7EE60D03EAC11CEB3948
The invoice 4532.exe file in the invoice 4532.zip attachment has a file size of 246,272 bytes. The MD5 checksum is the following string: 0x99B443DFEE4AC3FEBE6809883A47E056
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Re: FW: End of Aug. Statement Reqiured
Message Body:
Hi,
as reqeusted I give you inovices issued to you per sept.
Regards
Or
Subject: Re: Inter-company invoice from Boyd Gaming Corp.
Message Body:
Hi
Attached the intercompany inv. for the period July 2012 til Aug. 2012.
Thanks a lot for supporting this process
DENEEN Herndon
Boyd Gaming Corp.
Or
Subject: Re: FW: End of Aug. Statement required
Message Body:
Good day,
as reqeusted I give you inovices issued to you per july (Microsoft Word format).
Regards
FLO Barret
Or
Subject: Missed package delivery!
Message Body:
Dear client,
We attempted to deliver your item at 08:44 am on Jan 30th, 2013.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery or pick up the item at the U.S. Post Office indicated on the receipt.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Or
Subject: Please respond - overdue payment
Message Body:
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Terrell Rodriquez
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Or
Subject: Re: FW: End of Aug. Statement Reqiured
Message Body:
Hallo,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards
Please find attached your invoices for the past months. Remit the payment by 04/29/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Esteban Benton
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Or
Subject: invoice copy
Message Body:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Threat Outbreak Alert
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
