Threat Intelligence Blog

Posted September 11, 2014

By Robert Simmons, Cyveillance Security Manager and Sr. Technologist 

A recent spate of scam emails purporting to be e-tickets from a major airline has been spreading in the wild recently. The “ticket” is really a zipped malwareMalware: Software that is intended to damage or disable computers and computer systems. executable. Here is what one of the scam emails looks like:

malwareticket

We performed sandbox analysis on two samples from this campaign. Looking at the similarities and differences in the two samples using fuzzy hash comparison, there are very few differences between the two samples.

ssdeep-differences

According to the behavior of the two samples during the sandbox session, the only difference found is the IP address of the command and control system (C2) to which they phoned home. Both used HTTP to connect to compromised websites. One to hxxp://178.33.160.87/index.php and the other to hxxp://37.35.107.208/index.php. Interestingly, neither binary used a domain name to contact the C2. The system the malware was phoning home to had already been removed from the hijacked websites by the time the sandbox session occurred. The fact that these C2 systems were located on compromised websites indicates that they may not have been requesting a configuration file. Rather, that the executables are trojan downloaders and were reaching out for a payload executable to be installed on the victim’s machine.

The scam emails were both received from private broadband addresses. This indicates they were sent by infected nodes in the botnet. At the time that the malware was collected from the wild, neither the zipped file nor the malware executable inside the zip had been submitted to VirusTotal. However, both were successfully detected as malicious by nine major virus scanners.

The moral of this story is to always beware of unsolicited email and definitely don’t open attachments from unknown sources.

Cyveillance Security Labs focuses on malware and sophisticated technical threat actors, including their tactics, techniques and procedures (TTPs). Learn more here.

Additional Posts

Security and Risk Professionals: You No Longer Have to Borrow Your Marketing Team’s Tools to Monitor OSINT

Announcing our Cyber Threat Center, an all-in-one, cloud-based cyber intelligence platform   ...

Go Big or Go Home

Big Data is altering the way organizations must manage their overall IT assets and ...