Delta Airlines fake email ticket confirmation contains ZBot trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order#62910621 – PROCESSED” (note that number will vary with each email) that confirms a ticket from Delta Airlines.

The email is send from the spoofed address “Delta Airlines <tickets@delta.com>” and has the following body:

Dear Customer,

Your credit card has been successfully processed.

FLIGHT NUMBER DT9801298017US
ELECTRONIC 9801298017
DATE & TIME / AUG 24, 2013, 13:45
ARRIVING / Washington
TOTAL PRICE / 501.33 USD

Please download and print your ticket from the following URL :
hxxps://www.delta.com/flifo/servlet/DeltaDLTicket?airline_code=DL&flight_number=DT9801298017US&order_date=08/21/2013&request=main

For more information regarding your order, contact us by visiting :
hxxps://www.delta.com/content/www/en_US/support/talk-to-us.html

Thank you
Delta Airlines.

The embedded URLs will allow you to download the ZIP file that listens to the name pdf_delta_ticket.zip and contains the 410 kB large file pdf_delta_ticket.scr.

The trojan is known as Trojan/Win32.Zbot, a variant of Win32/Injector.ALHC, Artemis!232279EF3B8D, Trojan.FakeSCR, UDS:DangerousObject.Multi.Generic, or Trojan.Zbot!gen51.

At the time of writing, 7 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 30c837b632563e9224423793dbec251edcf38c2bd154b588ea40ce9c23b38a02.

3 thoughts on “Delta Airlines fake email ticket confirmation contains ZBot trojan

  1. Thanks for letting us know! My husband received this email and thought our credit card info had been stolen….because it recently was and fraudulent charges made…

  2. I just recieved the email with the same text. I figured it was a scam because I dont have $501.33 on a credit card to be charged anyway.

Comments are closed.