New fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details

This email is send from the spoofed address  “Aircanada.com” <tickets@aircanada.com>” and has the following body:

Dear client,

Your order has been successfully processed and your credit card charged.

ELECTRONIC TICKET – 70189101701
FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30
ARRIVING – Quebec
TOTAL PRICE / 575.00 CAD

Your ticket can be downloaded and printed from the following URL :
hxxps://www.aircanada.com/travelInformation/viewOrderInfo.do?ticket_number=70189101701&view_pdf=yes

For information regarding your order, contact us by visiting our website : hxxp://www.aircanada.com/en/customercare/index.html
Thank you for choosing Air Canada

The embedded URL does not points the browser to the real web site address but to hxxp://ravuol.com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif.

The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL.

This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies.

At the time of writing, 2 of the 52 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 8aba09320c5a5844ceb64ef06624eda221578667a1fa59feb3b2c94aabae96fb

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 2,027 other followers

%d bloggers like this: