Author Topic: Spam Warns about Boeing 737 Max Crashes While Pushing Malware  (Read 102 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com

A new malspam campaign is underway that is trying to utilize the tragic Boeing 737 Max crashes as a way to spread malware on a recipient's computer. These spam emails pretend to be leaked documents about imminent crashes that the sender states should be reviewed and shared with loved ones to warn them.

This new campaign was discovered by 360 Threat Intelligence Center, a research division of 360 Enterprise Security Group, who posted about them on Twitter.



The emails are coming from an email address at info@isgec.com and have subject lines similar to "Fwd: Airlines plane crash Boeing 737 Max 8". They also contain a JAR file as an attachment with names similar to MP4_142019.jar.


Spam Email - click to enlarge

These emails pretend to be from a private intelligence analyst who found a leaked document on the dark web. This document pretends to contain information about other airline companies will be affected by similar crashes soon.

The full text of the email can be read below.

Quote
Greetings

I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All  passengers and crew were killed in the accident

Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff

The dead were of 35 different nationalities, including eight Americans.

On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff.

All 189 passengers and crew were killed in the accident.

note: there was a leak information from Darkweb which listed all the airline companies that will go down soon.

kindly notify your love ones about the informations on these file.
 
Regards

Joshua Berlinger
private inteligent analyst

If a user attempts to open the JAR file, it will be executed by JAVA on the computer. This attachment was originally thought to only install the Houdini H-worm Remote Access Trojan, but security researcher Racco42 felt that it was too large to just be that single malware.

After running it through Any.Run, he saw that in addition to installing H-Worm RAT, it was also installing the Adwind information-stealing Trojan.

BleepingComputer confirmed this by executing the attachment, which led to two malware files being installed in the %AppData% folder as shown below.


Installed Malware - click to enlarge

The ntfsmgr.jar is the Adwind Trojan [VirusTotal] and the VBS file, shown below, is the H-Worm RAT [VirusTotal].


H-WORM RAT - click to enlarge

As always, beware of spam email with unknown attachments and never open an attachment unless you are expecting it from the sender and have confirmed that they have actually sent it to you. Otherwise, you never know what you will be opening and potentially infecting yourself with.

sources