By Robert Simmons, Cyveillance Security Manager and Sr. Technologist
A recent spate of scam emails purporting to be e-tickets from a major airline has been spreading in the wild recently. The “ticket” is really a zipped malware executable. Here is what one of the scam emails looks like:
We performed sandbox analysis on two samples from this campaign. Looking at the similarities and differences in the two samples using fuzzy hash comparison, there are very few differences between the two samples.
According to the behavior of the two samples during the sandbox session, the only difference found is the IP address of the command and control system (C2) to which they phoned home. Both used HTTP to connect to compromised websites. One to
Cyveillance Security Labs focuses on malware and sophisticated technical threat actors, including their tactics, techniques and procedures (TTPs). Learn more here.