Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Delta, American Airlines, or US Airways email claims you can download your ticket, it is attached, and you should print it.

Attached zip file contains an exe virus or trojan horse.

Spoofing in From and Envelope includes deltaa.com, aaa.com, deltaus.com, aa-us.com look-alike domain spoofing as well as aa.com and delta.com fro Delta Airlines, US Airways, and American Airlines.

The "you should print it" language reminds me of some older Asprox emails.


Subject:  You can download your ticket #5456

Subject: Your order is ready

Subject: Ticket is ready # Order NR8933

Subject: Please download your ticket #8710

Subject: Download your ticket

Subject: Order is processed

Subject: Your order #14-4759 has been completed

Notification,

TICKET NUMBER / EH816231696
SEAT / 58F/ZONE 1
DATE / TIME 19 DECEMBER, 2013, 12:15 PM
ARRIVING / Wichita
FORM OF PAYMENT / CC
TOTAL PRICE / 231.37 USD
REF / EK.8769 ST / OK
BAG / 3PC

Your bought ticket is attached.
To use your ticket you should print it.

Thank you for your attention.
Delta Air Lines.

Electronic_TK_Delta_73189.zip (91)

Subject: Your order # NR15-5697 has been completed

 Hello,

E-TICKET / EH651020372
SEAT / 55E/ZONE 3
DATE / TIME 8 DECEMBER, 2013, 09:25 AM
ARRIVING / Amarillo
FORM OF PAYMENT / CC
TOTAL PRICE / 281.58 USD
REF / KE.4047 ST / OK
BAG / 1PC

Your electronic ticket is attached to the letter as a scan document.
You can print your ticket.

Thank you for your attention.
Delta Air Lines.

Electronic_Ticket_Delta_AA45938.zip (91)

Subject: Download your ticket

 This is your e-ticked receipt.

TICKET TYPE / TICKET NUMBER / EH410658041
SEAT / 77F/ZONE 1
DATE / TIME 10 DECEMBER, 2013, 11:55 PM
ARRIVING / Albuquerque
ST / OK
REF / OE.4753 BAG / 6PC

TOTAL PRICE / 564.71 USD
FORM OF PAYMENT / XXXXXX

Your bought ticket is attached.
You can print your e-ticket.

Yours sincerely,
AA E-Ticket services.

E-TICKET_FOR_PRINT_AA2745.zip (94)

29 October 2014 I noticed this fresh new look!

Subject: Your ticket #ID00022057

 [Delta Logo ]

Flight Status
Flight 6483 on 20 November 2014
Your ticket is attached.
You can print your ticket.
Status Departue
wait City Scheduled City Scheduled
5:43PM Visalia Gate D1 4:23PM Antioch Gate 2

Flight Detail
Carrier: ExpressJet DBA Delta Connection Equipment type: Canadair regional Jet
Flight Distance: 375 miles Travel time: 1 hr 37 min
First\Business Class Meals: None Amenities:
Economy Class Meals: None Amenities:
Movie: No

ET-84858110.zip (90)

Picture of fake Delta Airlines ticket with asprox malware attached, has fresh new look.


Header Examples:

Spoofs spoofs deltaa.com in From, Envelope, and HELO maybe to get around SPF. Or bad typing.

Later versions included aa.com and usairways.com in headers and HELO.

Received: from deltaa.com (cpe-24-92-35-78.nycap.res.rr.com) [24.92.35.78]
X-Envelope-From: support.5 @deltaa.com>
From: "Delta Air Lines" <support.5 @deltaa.com>
Subject: You can download your ticket #5456
(notice HELO was deltaa.com but RDNS to RoadRunner)

Received: from deltaa.com (i5E87C5F4.versanet.de) [94.135.197.244] X-Envelope-From: ticket_support.7 @deltaa.com From: "Delta Air Lines" <ticket_support.7 @deltaa.com> Subject: Your order # NR15-5697 has been completed
(HELO was deltaa.com but RDNS to some German ISP)

Received: from aa-us.com (210-202-197-60.vdslpro.static.apol.com.tw [210.202.197.60] X-Envelope-From: service.814 @aa-us.com From: "AA Airlines" <service.814 @aa-us.com> Subject: You can download your ticket

Received: from deltaa.com (c-107-4-80-76.hsd1.fl.comcast.net) [107.4.80.76] X-Envelope-From: ticket_support.8 @deltaa.com From: "Delta Air Lines" <ticket_support.8 @deltaa.com> Subject: Please download your ticket #8710

Received: from deltaa.com (host86-186-104-207.range86-186.btcentralplus.com) [86.186.104.207] X-Envelope-From: ticket_support.1 @deltaa.com From: "Delta Air Lines" <ticket_support.1 @deltaa.com> Subject: Your order is ready

Received: from aa.com (client-201.230.155.77.speedy.net.pe) [201.230.155.77] X-Envelope-From: aa.support103 @aa.com From: "American Airlines" <aa.support103 @aa.com> Subject: Your order #14-4759 has been completed

Received: from aaa.com [138.26.166.110] X-Envelope-From: order.329 @aaa.com From: "American Airlines" <order.329 @aaa.com> Subject: Your order # NR17-5760 has been completed

Received: from usairways.com (75-141-225-11.dhcp.reno.nv.charter.com) [75.141.225.11]
X-Envelope-From: your_ticket @usairways.com
From: "US Airways Ticket" <your_ticket @usairways.com>
Subject: Ticket #2263 is ready

Received: from deltaus.com (206.180.136.88.rev.sfr.net) [88.136.180.206] X-Envelope-From: support126 @deltaus.com From: "Delta Air Lines" <support126 @deltaus.com> Subject: Ticket #0092 is ready

Received: from aa-air.com (CPE-58-172-208-119.ewqo1.ken.bigpond.net.au) [58.172.208.119] X-Barracuda-Envelope-From: order.419 @aa-air.com From: "American Airlines" <order.419 @aa-air.com> Subject: Your Electronic Ticket for Print

My list of the domains so far:

aa-us.com
usdelta.com
aa-air.com
deltaus.com
usairways.com
aaa.com
aa.com
deltaaa.com
airlinesaa-us.com
airlinesaa-us.com
deltaairus.com
airusaserv.com

Asprox attachment-style emails almost ALWAYS come from infected windows computers (contrasted with url-style emails, which come from compromised web sites). One interesting artifact that has survived so far is that the computer's netbios name or hostname is in the Message-ID header:

Message-ID: <...b081cd13046401a8c0@ Owner-PC>
Message-ID: <...ba1562c65b0900a8c0@ Erasto-PC>
Message-ID: <...c57f89eb57c914a8c0@ daniel-desktop>
Message-ID: <...e2b4de819b8f00a8c0@ sylvia-W7>
Message-ID: <...e3a3d429b08a00a8c0@ rola-pc>
Message-ID: <...a173d09a457361a8c0@ Dottie-PC>
Message-ID: <...a609b00ecc0ee0000a@ station1>
Message-ID: <...73f6bbf0238070fa8c0@ office-PC>

Malware

29 October 2014

Attachment : ET-84858110.zip containing DATicket.exe (Kuluoz trojan)

VirusTotal report 

AVware 		Trojan.Win32.Kuluoz.dad (v) 
Ad-Aware Trojan.Agent.BGHO
AegisLab Troj.W32.Swizzor
Avast Win32:Trojan-gen
Cyren W32/Kuluoz.XGOP-4065
ESET-NOD32 a variant of Win32/Kryptik.COQM
F-Prot W32/Kuluoz.AY
McAfee Packed-BZ!96FA2124679D
Norman Kuluoz.EP
VBA32 BScope.Trojan-Dropper.8612
VIPRE Trojan.Win32.Kuluoz.dad (v)

Mutexes:
aaUser abUser

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
process_name: svchost.exe
Installs itself for autorun at Windows startup

POST to: 173.203.70.234:8080/index.php

TotalHash report 

POST to:
173.203.70.234:8080
198.245.63.31:8080
50.56.238.195:8080
50.57.223.115:443
5.157.82.99:8080
87.106.255.78:8080

10 December 2013

Attachment : US_Airways_E-Ticket_NO31902.zip containing  US_AIRWAYS_E-TICKET_ONLINE FOR_PRINT.exe

VirusTotal report  

6 December 2013

Attachment : Electronic_TK_Delta_73189.zip containing Electronic_Ticket_Delta_Air_Lines.exe (Kuluoz trojan)

VirusTotal report | Malwr.com report | File-Analyzer.net report

Historical 

The portion below this point is from the original 2013 article. This was one of the first Asprox malware emails that used attachments. Before this, the canonical asprox email had malware links instead.

------

Before this spam series, Asprox botnet would distribute malware using compromised websites and emails with links. So at first I thought this was more like a cutwail setup. But the trojan uses encrypted HTTP POSTs to contact the command servers, exactly like Asprox does now. Then, I found that they were contacting the same IP addresses, so this is kind-of a shift in how Asprox works, since these are attached zips.

0d02807264bc422095c0ef8d87c752ae  

definitely asprox from hacked website

bc17832bcd79e71fcd2cdf0249a24afb 

emailed attachment

81.25.112.101 81.25.112.101
216.18.22.214 216.18.22.214
166.78.7.193 166.78.7.193
178.79.186.35 178.79.186.35
77.79.92.75 77.79.92.75
91.185.204.47 91.185.204.47
192.184.94.72 216.18.22.214
5.135.213.204 190.114.253.222
  176.227.204.58

The left column is a definite Asprox from a compromised site on 12 Dec 2013. The right column is an emailed fake Delta Airlines attachment. There are several matches.

StopMalvertising.com's analysis of this manner of encrypted HTTP communications : here

Rebus Snippet's explanation of the Asprox ecosystem : here

 If this was at least a little helpful, how about a +1, Like, or Tweet?