Fake order confirmation emails from American Airlines leads to malware


MX Lab, http://www.mxlab.eu, intercepted some samples of fake order confirmation emails from American Airlines that will lead the user to a  host with an embedded Javascript that will download the malicious payload.

The email is send from the spoofed address “American Airlines” and has the following body (single image email):

In this case, the URL hxxp://egiser-ingenieros.com/FAHSIENFHE.html brings us to an HTML page with an embeded Javascript that will starts the download of the malicious ZIP file:

<html>(CR)(LF)
<body>(CR)(LF)
<script·language=”JavaScript”>(CR)(LF)
<!–(CR)(LF)
window.location=”AA_Electronic_Ticket.zip”;(CR)(LF)
//–>(CR)(LF)
</script>(CR)(LF)
</body>(CR)(LF)
</html>

The ZIP file has the name AA_Electronic_Ticket.zip and contains the 60 kB large file AA_Electronic_Ticket.exe.

The trojan is known as Spyware/Win32.Zbot, Win32/TrojanDownloader.Zortob.B, Trojan.Generic.KDV.783582, W32/Kryptik.BWW.

At the time of writing, 13 of the 44 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: df95ea18dd12805419f71d33e7e8e2bd7a9c013b9799559ef288b609cc56e84f.