New Delta Airlines Phishing Email: “Your eTicket and receipt”

Following is the message detail of the #phishing email purports to be from Delta Airlines sent from spoofed email address:

#scam target:

Email

Email subject:

• Your eTicket and receipt
• Your Electronic Ticket
• Your eTicket

Scam messages:

Thank you for choosing Delta.
We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to http://www.delta.com.

Your eTicket is attached to your e-mail receipt as a# pdf document.

Baggage and check-in requirements vary by airport and airline, so please check with the operating carrier on your ticket.
Please review Delta’s check-in Requirements and baggage guidelines for details.

You must be checked in and at the gate at least 15 minutes before your scheduled departure time for travel inside the United States.

You must be checked in and at the gate at least 45 minutes before your scheduled departure time for international travel.

Attachments:

#eticket.zip / eTicket and Receipt for ID[RANDOM_NUMBERS].pdf.exe

Types of scam:

#malware

Malware name/family:

#zeroaccess, #zaccess, Sireref, #backdoor.win32.zaccess

Behaviour Analysis:

Here’s the malware behavioral information from VirusTotal:

[File system activity]

Opened files:
 .PIPElsarpc (successful)
 C:WINDOWSsystem32rsaenh.dll (successful)
 C:WINDOWSsystem32cmd.exe (successful)

Read files:
 C:WINDOWSsystem32rsaenh.dll (successful)

[Process activity]

Created processes:
 C:WINDOWSsystem32cmd.exe (successful)

[Mutex activity]

Opened mutexes:
 ShimCacheMutex (successful)

[Windows service activity]

Opened service managers:
 MACHINE: localhost
 DATABASE: SERVICES_ACTIVE_DATABASE (successful)

Opened services:
 MsMpSvc (failed)
 windefend (failed)
 SharedAccess (successful)
 iphlpsvc (failed)
 wscsvc (successful)
 mpssvc (failed)
 bfe (failed)

[Runtime DLLs]

kernel32.dll (successful)
 gdi32.dll (successful)
 user32.dll (successful)
 c:windowssystem32mswsock.dll (successful)
 hnetcfg.dll (successful)
 rpcrt4.dll (successful)
 c:windowssystem32wshtcpip.dll (successful)
 ws2_32.dll (successful)
 rsaenh.dll (successful)
 version.dll (successful)
 advapi32.dll (successful)

[Additional details]
 The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

[Network activity]

HTTP requests:
 URL: http://j.maxmind.com/app/geoip.js
 TYPE: GET
 USER AGENT: None
 URL: http://xlotxdxtorwfmvuzfuvtspel.com/4QfcJ1RXa8hEdj0xLjEmaWQ9MjkxNzAxMDgzNiZhaWQ9MzA1NjImc2lkPTEmb3M9NS4xLTMyhvVwdN8q
 TYPE: GET
 USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

DNS requests:
 j.maxmind.com (50.22.196.70)
 xlotxdxtorwfmvuzfuvtspel.com (50.62.12.103)
 www.google.com (173.194.34.18)

TCP connections:
 50.22.196.70:80
 78.251.248.253:16471
 83.133.120.16:80

UDP communications:
 8.8.8.8:53
 83.133.123.20:53
 206.254.253.254:16471
 197.254.253.254:16471
 190.254.253.254:16471
 184.254.253.254:16471
 182.254.253.254:16471
 180.254.253.254:16471
 166.254.253.254:16471
 135.254.253.254:16471
 134.254.253.254:16471
 119.254.253.254:16471
 117.254.253.254:16471
 115.254.253.254:16471
 92.254.253.254:16471
 88.254.253.254:16471
 87.254.253.254:16471
 78.251.248.253:16471
 184.160.103.252:16471
 37.236.169.251:16471
 115.241.116.246:16471
 76.172.38.2:16471
 95.192.48.246:16471
 112.202.54.2:16471
 222.254.253.254:16471
 24.140.117.56:16471
 188.25.79.172:16471
 188.215.15.182:16471
 195.3.145.57:123
 108.58.9.43:16471
 109.202.32.100:16471
 76.191.201.220:16471
 67.185.196.254:16471
 174.59.161.22:16471
 46.185.56.23:16471
 86.122.41.17:16471
 98.192.8.34:16471
 1.23.64.15:16471
 99.158.44.245:16471
 70.77.209.240:16471
 78.251.61.8:16471
 178.216.0.17:16471
 65.27.37.19:16471
 70.81.241.6:16471
 126.5.90.4:16471
 5.15.17.12:16471