Guest

Cisco Security

Cisco Security

Threat Outbreak Alert: RuleID4947 Fake Unspecified E-mail Messages on April 29, 2016

 
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:27681
Version:17
First Published:2012 December 18 22:42 GMT
Last Published:2016 May 02 12:28 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:Cisco Security has detected significant activity on April 29, 2016.
 

Description
 
Cisco Security has detected significant activity related to spam e-mail messages that claim to contain an unspecified message for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID4947) and (RuleID7947KVR) may contain the following files:
KB00484414.zip
KB00484414.exe
votingremittance.zip
achromaticAgreement 2015.exe
RFQ Inquiry.zip
RFQ Inquiry.exe
Case_6092178.zip
Case_7468469.scr
revised Proforma-Invoice.zip
revised Proforma-Invoice..exe
bestellung.28.10.2015.n24r3217.exe
bestellung.28.10.2015.n24r3217.zip
Revised Proforma-Invoice.zip
saless.exe
inquiry.zip
inquiry.exe
RFQ Inquiry.zip
RFQ Inquiry.exe
Proforma Invoice.zip
Proforma Invoice.exe
joeljideofforcrypt.exe
remittance wire.zip
remittance wire.scr
proforma invoice.zip
proforma invoice.exe
Proforma Invoice.zip
Proforma Invoice.exe
revised Proforma-Invoice No. 74515.zip
revised Proforma-Invoice No. 74515.exe
DOC.zip / inquiry.exe
Inquiry.zip/Inquiry.exe

The KB00484414.exe file in the KB00484414.zip attachment has a file size of 217,088 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x1AB633CDF11E328C37729E3E319DA6B5

The achromaticAgreement 2015.exe file in the votingremittance.zip attachment has a file size of 53,248 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x9CB47E595F429D717454D9C102400CE3

The RFQ Inquiry.exe file in the RFQ Inquiry.zip attachment has a file size of 979,968 bytes. 
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xAABA4CFD06A7646A7E5E9E87CD789B5D

The Case_7468469.scr file in the Case_6092178.zip attachment has a file size of 25,088 bytes. 
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x206E908BB21CFE3CC063AF83B88149C3

The revised Proforma-Invoice..exe file in the revised Proforma-Invoice.zip attachment has a file size of 709,120 bytes
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2893B3d90F09065F7B828385110DAB91

The bestellung.28.10.2015.n24r3217.exe file in the bestellung.28.10.2015.n24r3217.zip attachment has a file size of 214,518 bytes. 
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2F6387C5B5C16481E87CB36BF8C4A169

The saless.exe file in the Revised Proforma-Invoice.zip attachment has a file size of 614,400 bytes. 
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x7035F202648CF42EC7BE98F97E8EFAFE

The inquiry.exe file in the inquiry.zip attachment has a file size of 372,736 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x854E267BA75775A23AE3738E72E6975E

The RFQ Inquiry.exe file in the RFQ Inquiry.zip attachment has a file size of 593,920 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xAF5F56EB70CAEC25ACE095811B9F58CF

The Proforma Invoice.exe file in the Proforma Invoice.zip attachment has a file size of 637,952 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x7B808D1240162F97F5F01C15137B6988

A variant of the Proforma Invoice.exe file in the Proforma Invoice.zip attachment has a file size of 645,632 bytes.
The MD5 checksum is the following string: 0xDA0CFC3E38ABEAEF991B3B5B7D4A6D30

The joeljideofforcrypt.exe file in the Proforma Invoice.zip attachment has a file size of 539,648 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2B7782C2262012FCE89FCE1C65DE819C

The remittance wire.scr file in the remittance wire.zip attachment has a file size of  610,304 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xD06E71832643FEC0562EC86A6F0CE88F

A third variant of the Proforma Invoice.exe file in the Proforma Invoice.zip attachment has a file size of 361,472 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2EA15190943592C3D48AD4E03DB21C45

The proforma invoice.exe file in the proforma invoice.zip attachment has a file size of 833,024 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xB802871C4222B7C9525F3676B796505D

The Proforma Invoice.zip file in the Proforma Invoice.exe attachment has a file size of 1,046,528 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x98DD5C932902C9A807F63DAD8B1E8D29

The revised Proforma-Invoice No. 74515.zip file in the revised Proforma-Invoice No. 74515.exe attachment has a file size of 506,880 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x898FE3D8EA5F81CD517DBF1F6717BED3

The DOC.zip file in inquiry.exe attachment has a file size of 910,848 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xEA4C105B30A3DD9D1EDCD5EF4DD24B07

The Inquiry.zip file in the Inquiry.exe attachment has a file size of 1,814,528 bytes.
The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x06D03A7E18429B89A530DB7AC5EA950B 

The following text is a sample of the email message that is associated with this threat outbreak:

Subject: RFQ

Message Body:

Dear Sir/Madam,
Please find attached our Request for quotation or Inquiry form.
We kindly request you to provide us with your quotation for supply of
goods as per the attached inquiry.
You are kindly requested to acknowledge receipt of this RFQ within two
(2) working days and submit your Quotation before 9.10.2015
This is an automated message without a signature. For any queries,
please contact the responsible buyer named on the RFQ or Inquiry form.
Kind Regards

Or

Subject: Case - 6092178

Message Body:

Dun & BradStreet
New Inquiry
New Complaint : 6092178
Dun & Bradstreet has received the above-referenced complaint from one of your customers 
regarding their dealings with you. 
The details of the consumer's concern are included on the reverse.
Please review this matter and advise us of your position.
In the interest of time and good customer relations, 
please provide the DnB with written verification of your position in this matter by Oct 08 , 2015.
Your prompt response will allow DnB to be of service 
to you and your customer in reaching a mutually agreeable resolution.
Please inform us if you have contacted your customer 
directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability 
Reports on companies across the United States and Canada.
This information is available to the public and is frequently used by potential customers.
Your cooperation in responding to this complaint becomes 
a permanent part of your file with the Dun and BradStreet.
Failure to promptly give attention to this matter may be 
reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
To ensure delivery of Dun & Bradstreet Credibility Corp. 
emails to your inbox and to enable images to load in future mailings, 
please add alerts@dandb.com to your email address book or safe senders list.
Privacy and Unsubscribe Notice:
To unsubscribe or modify your email alert settings, please login to your account, 
click "alerts", select "alert settings", and choose the email settings you wish to disable 
then click "save" to make the desired changes. Your privacy is important to us,
please see our privacy policy. To view our terms of service,
please click here If you have any questions, email us at customerservice@asd.com.
Please do not reply to this email.

Or
Subject: Fwd: Revised Order Confirmation

Message Body:

Dear Sir,
Attached please find now the completed order confirmation, and revised  Proforma-Invoice.
also kindly find the full set shipping documents for order attached.
Regards,
Or

Subject: A1 Zahlbar 978654/8186 von 28.10.2015

Message Body:

sehen Sie im Inneren

Or

Subject: Revised Proforma-Invoice

Message Body:

Dear Sir
Attached please find now the completed order confirmation, and revised  Proforma-Invoice.
also kindly find the full set shipping documents for order attached.
Regards,


Or

Subject: RFQ

Message Body:

Hello,
My Name is Mr. Rob Wyatt, I'm very interested in your product.
I would like you to get back to me with your quotation 
and payment terms for the attached specification and samples.
Hope to hear from you soon.
Regards


Or

Subject: RFQ from Finland

Message Body:

Good day,
Happy to Contact you, Got you contact from one of our suppliers,
who promised you can offer the best price and delivery time on the Above mentioned
product. we have some order Request that falls under
your trade industry, Please do well to provide us with the following short listed below.
find with attached product and item required for delivery.
1). Best Price and MOQ
2). Delivery time and cost to portugal
3). Payment terms.
NOTE: Please treat as Urgent as we are in desperate need of this Items before
we go into december sales.
Awaiting your quick reply.
Best regards,


Or

Subject: Fwd: Proforma Invoice

Message Body:

Dear Sir,
Kindly, find the attachment of Proforma Invoice and Sales Contract for your perusal. Please
return this contract with signed. We will process this shipment upon received signed contract.
Thank You.
Best Regards,

Or

Subject: Fwd: Revised Proforma-Invoice[*]

Message Body:

Dear Sir,
Kindly, find the attachment of Proforma Invoice and Sales Contract for your perusal. Please
return this contract with signed. We will process this shipment upon received signed contract.
Thank You.
Best Regards,

Or

Subject: Hire Remittance Advice

Message Body:

Dear Sir/Madam,
As directed by charterers, this is to inform you that we have remitted the
value of your hire invoice.
Please find attached payment advice which includes invoice reference and
TDS deductions.
Best regards,


Or

Subject: BALANCE PAYMENT

Message Body:

Dear  Sir,
WE STILL HAVE NOT BEEN ABLE TO PROCESS YOUR BALANCE PAYMENT SENT TO US
BY YOUR CUSTOMER.
PLEASE CONFIRM THE BANK DETAILS IN THE INVOICE TO ENABLE US PROCESS
YOUR PAYMENT.
WE ARE HAVING PROBLEMS WITH THE IBAN NO. IT SEEMS INCORRECT
WAITING FOR YOUR URGENT REPLY.


Or
Subject: proforma invoice

Message Body:

Dear sir
Kindly check the attached proforma invoice for the following?
1. We agreed on 30% advance but PI is stated 50% advance.
2. Expected time of delivery is different from earlier agreed shipment date.
3. Pay attention to the Question marks we added to the PI to draw your
attention to complete these parts.
Kindly amend and send back the revised PI so we can make the down payment
immediately.
Best Regards
Thanks & Regards
Or

Subject: Proforma Invoice

Message Body:

Dear Sir,
Enclosed is the proforma invoice sent to us, please review,
We had to write to you Directly as it is not workable for us. Kindly 
please double check and confirm by returning the following: 
1.We agreed on 70% advance but PI is stated 100% advance. 
2.Expectedtime of delivery is different from earlier agreed shipment date. 
3. Pay attention to the Question marks we added to the PI to draw your 
attention to complete these parts. Kindly amend and send back the revised 
PI so we can make the down payment immediately without no further delay. 
Thanks and Best Regard Carrie Wu Export Sales Dept.

Or

Subject: confirmation, and revised Proforma-Invoice No. 74515.

Message Body:

Dear Sir,
April 11 2016.
Attached please find now the completed order confirmation,
and revised Proforma-Invoice No. 74515. also kindly find 
the full set shipping documents for order 1420467 attached.
Thanking you in advance we look forward to receiving
your advance payment soon.
With best Regards


Or


Subject: REQUEST FOR QUOTATION

Message Body:

Dear Sir/Madam
Hope this email finds you well.
I want to use this opportunity to introduce our company,
KEYNVEST TRADING as a Spanish company specialised in international
trade.We place our knowledge and experience at our clients and
suppliers’disposal to fully assist them increase their business volume,
position their brands and strengthen their corporate image by increasing
the import and export of their products.nWe work with a carefully chosen
range of the highest quality products.You can also check our website:
www.keynvest-trading.com Attached is our company profile and order inquiries
within your product range.kindly review and quote your best competitive price.
We awaits your soonest reply.
Best Regards,


Or

Subject: Message copied from system quarantine

Message Body:

Dear Sir,
Please refer to the attached file.
Awaiting your earliest response.
Management

Cisco Security analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide.
This data helps provide a range of information about and analysis of global e-mail security threats and trends.
Cisco will continue to monitor this threat and automatically adapt systems to protect customers.
This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures.
E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks.
Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network
 
Alert History
 

Version 16, April 13, 2016, 8:54 AM: Cisco Security has detected significant activity on April 12, 2016.

Version 15, March 31, 2016, 8:23 AM: Cisco Security has detected significant activity on March 29, 2016.

Version 14, March 23, 2016, 4:32 PM: Cisco Security has detected significant activity on March 23, 2016.

Version 13, February 23, 2016, 8:36 AM: Cisco Security has detected significant activity on February 22, 2016.

Version 12, February 1, 2016, 9:04 AM: Cisco Security has detected significant activity on January 30, 2016.

Version 11, January 4, 2016, 9:12 AM: Cisco Security has detected significant activity on December 24, 2015.

Version 10, December 21, 2015, 8:47 AM: Cisco Security has detected significant activity on December 20, 2015.

Version 9, December 18, 2015, 7:57 AM: Cisco Security has detected significant activity on December 17, 2015.

Version 8, November 9, 2015, 8:39 AM: Cisco Security has detected significant activity on November 2, 2015.

Version 7, November 3, 2015, 8:36 AM: Cisco Security has detected significant activity on November 2, 2015.

Version 6, October 30, 2015, 8:36 AM: Cisco Security has detected significant activity on October 29, 2015.

Version 5, October 20, 2015, 4:23 PM: Cisco Security has detected significant activity on October 20, 2015.

Version 4, October 12, 2015, 7:39 AM: Cisco Security has detected significant activity on October 9, 2015.

Version 3, October 9, 2015, 9:39 AM: Cisco Security has detected significant activity on October 7, 2015.

Version 2, September 23, 2015, 5:53 PM: Cisco Security has detected significant activity on September 23, 2015.

Version 1, December 18, 2012, 5:42 PM: Cisco Security has detected significant activity on December 18, 2012.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak Alert Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield