Delta Air Lines confirmation of tickets purchase contains the W32/Trojan2.FXRO trojan

MX Lab intercepted a few samples of the trojan W32/Trojan2.FXRO. The trojan is attached to emails in a ZIP archive named delta_RQ763.zip coming from Delta Air Lines with the email address <support@delta.com>, which is a spoofed from address, and the subject “Confirmation of airline ticket purchase at www.delta.com”.

The content of the email:

Thanks for the purchase!

Booking number: LVSN50

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket.

It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered:

 - beverages;
 - food;
 - daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board!

Best regards,

Delta Air Lines

Once the ZIP archive is extracted you have the file delta_RQ763.exe. The trojan has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The files %System%\twain32\local.ds, %System%\twain32\user.ds and %System%\twex.exe are created on the system. A system folder %System%\twain32 is created and registry modifications are also part of the infection.

The origin appears to be from Russia and connection with the remote host to download the following hxxp://91.211.65.**/ejik/admin.bin and hxxp://91.211.65.**/ejik/hot.php.

Virus Total permlink and MD5: e3bf9ea4d7ddd59f0f27486f993fa2b2. Only 10 of the 38 anti viurs engines detect the new variant at the time of writing this article.