MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:
Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details
This email is send from the spoofed address “Aircanada.com” <email@example.com>” and has the following body:
Your order has been successfully processed and your credit card charged.
ELECTRONIC TICKET – 70189101701
FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30
ARRIVING – Quebec
TOTAL PRICE / 575.00 CAD
Your ticket can be downloaded and printed from the following URL :
For information regarding your order, contact us by visiting our website : hxxp://www.aircanada.com/en/customercare/index.html
Thank you for choosing Air Canada
The embedded URL does not points the browser to the real web site address but to hxxp://ravuol.com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif.
The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL.
This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies.
At the time of writing, 2 of the 52 AV engines did detect the trojan at Virus Total.