Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a digital certificate notification for the recipient. The text in the e-mail message attempts to persuade the recipient to open the attachment to retrieve the new digital certificate. However, the .zip attachment contains a malicious .exe that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5844) may contain the following files:
WUPOS.Certificate.ID326.zip
P12.Certificate.ID489830.exe
The P12.Certificate.ID489830.exe file in the WUPOS.Certificate.ID326.zip attachment has a file size of 123,392 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x9C9C302C9B231CFA0CB623C41BE2BCB2
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Message Body:
Dear User,
Your WUPOS digital certificate has been deleted due security reasons.
New terminal certificate you can find in attached file.
If you require further assistance, please do not hesitate to call us.
Thanks. Best regards,
-----------------------------------------------------------------------------
LDE - Offline Support Specialist
Regional Operations Centre Western Union Services Inc
ADVISORY: For all LDE concerns, kindly send your mail directly to aroc.lde700@westernunion.com.
This e-mail and all attaches are confidential and may be protected by legal privilege. If you are not the intended recipient, be aware that any disclosure, copy,
distribution or use of this e-mail or any attachments is prohibited. If you have received this mail in error, please notify us immediately by returning it to the sender
and delete this mail from your system.
Source: Cisco Systems