Following is the message detail of the #phishing email purports to be from Delta Airlines sent from spoofed email address:
#scam target:
Email subject:
- Your eTicket and receipt
- Your Electronic Ticket
- Your eTicket
Scam messages:
Thank you for choosing Delta.
We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to http://www.delta.com.
Your eTicket is attached to your e-mail receipt as a# pdf document.
Baggage and check-in requirements vary by airport and airline, so please check with the operating carrier on your ticket.
Please review Delta’s check-in Requirements and baggage guidelines for details.
You must be checked in and at the gate at least 15 minutes before your scheduled departure time for travel inside the United States.
You must be checked in and at the gate at least 45 minutes before your scheduled departure time for international travel.
Attachments:
#eticket.zip / eTicket and Receipt for ID[RANDOM_NUMBERS].pdf.exe
Types of scam:
Malware name/family:
#zeroaccess, #zaccess, Sireref, #backdoor.win32.zaccess
Behaviour Analysis:
Here’s the malware behavioral information from VirusTotal:
[File system activity]
Opened files: .PIPElsarpc (successful) C:WINDOWSsystem32rsaenh.dll (successful) C:WINDOWSsystem32cmd.exe (successful)
Read files: C:WINDOWSsystem32rsaenh.dll (successful)
[Process activity]
Created processes: C:WINDOWSsystem32cmd.exe (successful)
[Mutex activity]
Opened mutexes: ShimCacheMutex (successful)
[Windows service activity]
Opened service managers: MACHINE: localhost DATABASE: SERVICES_ACTIVE_DATABASE (successful)
Opened services: MsMpSvc (failed) windefend (failed) SharedAccess (successful) iphlpsvc (failed) wscsvc (successful) mpssvc (failed) bfe (failed)
[Runtime DLLs]
kernel32.dll (successful) gdi32.dll (successful) user32.dll (successful) c:windowssystem32mswsock.dll (successful) hnetcfg.dll (successful) rpcrt4.dll (successful) c:windowssystem32wshtcpip.dll (successful) ws2_32.dll (successful) rsaenh.dll (successful) version.dll (successful) advapi32.dll (successful)
[Additional details] The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
[Network activity]
HTTP requests: URL: http://j.maxmind.com/app/geoip.js TYPE: GET USER AGENT: None URL: http://xlotxdxtorwfmvuzfuvtspel.com/4QfcJ1RXa8hEdj0xLjEmaWQ9MjkxNzAxMDgzNiZhaWQ9MzA1NjImc2lkPTEmb3M9NS4xLTMyhvVwdN8q TYPE: GET USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
DNS requests: j.maxmind.com (50.22.196.70) xlotxdxtorwfmvuzfuvtspel.com (50.62.12.103) www.google.com (173.194.34.18)
TCP connections: 50.22.196.70:80 78.251.248.253:16471 83.133.120.16:80
UDP communications: 8.8.8.8:53 83.133.123.20:53 206.254.253.254:16471 197.254.253.254:16471 190.254.253.254:16471 184.254.253.254:16471 182.254.253.254:16471 180.254.253.254:16471 166.254.253.254:16471 135.254.253.254:16471 134.254.253.254:16471 119.254.253.254:16471 117.254.253.254:16471 115.254.253.254:16471 92.254.253.254:16471 88.254.253.254:16471 87.254.253.254:16471 78.251.248.253:16471 184.160.103.252:16471 37.236.169.251:16471 115.241.116.246:16471 76.172.38.2:16471 95.192.48.246:16471 112.202.54.2:16471 222.254.253.254:16471 24.140.117.56:16471 188.25.79.172:16471 188.215.15.182:16471 195.3.145.57:123 108.58.9.43:16471 109.202.32.100:16471 76.191.201.220:16471 67.185.196.254:16471 174.59.161.22:16471 46.185.56.23:16471 86.122.41.17:16471 98.192.8.34:16471 1.23.64.15:16471 99.158.44.245:16471 70.77.209.240:16471 78.251.61.8:16471 178.216.0.17:16471 65.27.37.19:16471 70.81.241.6:16471 126.5.90.4:16471 5.15.17.12:16471