Fake email Delta Airlines or American Airlines with ticket details contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email targeting Delta Airlines and American Airlines customers with attached ticket details.

Delta Airlines

This email is send from the spoofed addresses, has subject in the format of Download your ticket “#NR00478451” or “Order NR00205864” and has the following body:

Order Notification,

ELECTRONIC TICKET NUMBER / ET-99540139
SEAT / 76E/ZONE 1
DATE / TIME 20 OCTOBER, 2014, 09:15 AM
ARRIVING / St.Louis
FORM OF PAYMENT / CC
TOTAL PRICE / 218.88 USD
REF / OE.8272 ST / OK
BAG / 2PC

Your ticket is attached.
To use your ticket you should print it.

Thank you for using our airline company services.
Delta Air Lines.

American Airlines

This email is send from the spoofed addresses, has the subject “Your order is processed” or “Download your ticket ” and has the following body:

This is your e-ticket receipt.

TICKET TYPE / TICKET / AA-0080748006
SEAT / 31A/ZONE 3
DATE / TIME 6 OCTOBER, 2014, 09:35 AM
ARRIVING / Tulsa
ST / OK
REF / KE.3833 BAG / 4PC

TOTAL PRICE / 509.84 USD
FORM OF PAYMENT / CC

Your bought ticket is attached to the letter as a scan document.

Yours sincerely,
American Airlines E-Ticket services.

The attached ZIP files are in the format ET-26606796.zip (Delta Airlines) or AA-0008046080.zip (American Airlines) and contains the 151 kB large file DATicket.exe. Please note that the numbers in the file name may vary.

The trojan is known as Packer.W32.Krap, a variant of Win32/Kryptik.BWUH, W32/Kryptik.CKFN!tr, Kuluoz.EP, PE:Malware.FakeDOC@CV!1.9C3C or Mal/Wonton-G.

At the time of writing, 8 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 28e6e417eb6243deffda9fdc74b0a28c2d504f2f927c1be2ff4259ec835ce3e4

One thought on “Fake email Delta Airlines or American Airlines with ticket details contains trojan

  1. […] Fake email Delta Airlines or American Airlines with ticket details contains trojan “MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email targeting Delta Airlines and American Airlines customers with attached ticket details.” The email claims to provide an airline ticker as an attachment, and that “To use your ticket you should print it.” It’s all fake. The attached zip file contains a trojan. MX Lab: https://blog.mxlab.eu/2014/10/01/fake-email-delta-airlines-or-american-airlines-with-ticket-details-c… […]

Comments are closed.