Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake American Airlines virus spam email claims to have an E-Ticket confirmation for a flight you booked.

Attached doc contains malware.

These emails are NOT coming from American Airlines.

 


  

Subject: E-Ticket Confirmation


[ BANNER : AA.com (R) Reservations Redeem
Miles My Account Fare Sales and Offers ]

Ticket Issued: Nov 02, 2015
Thank you for choosing American Airlines / American Eagle, a member of the
Oneworld Alliance. Below are your itinerary and receipt for the ticket(s)
purchased. Please print and retain this document for use throughout your
trip. For faster check-in at the airport, scan the barcode below at any
AA Self-Service machine.

You must present a government-issued photo ID and either your boarding
pass or a priority verification card at the security screening checkpoint.

You can now Manage Your Reservation on aa.com, where you can check in and
purchase additional items to customize your journey. A variety of seating
options are also available for purchase to enhance your travel with
features such as convenient front of cabin location, extra legroom and
early boarding.
Print your ticket from attach.

As American and US Airways merge, many changes are taking place at our airport
locations. Visit Find Your Way to assist with your journey.

Record Locator YGCMON

Carrier Flight # Departing Arriving Fare Code
carrier
American
3234 RICHMOND
MON 02NOV
8:05 AM CHICAGO OHARE
9:18 AM Q

OPERATED BY ENVOY AIR AS AMERICAN EAGLE
CHECK-IN WITH AMERICAN EAGLE
Seat 7A Economy Food For Purchase
carrier
American
2312 CHICAGO OHARE
MON 02NOV
10:20 AM DALLAS FT WORTH

12:52 PM Q
Economy Food For Purchase

Passenger Ticket # Fare-USD Taxes and Carrier-
Imposed Fees Ticket Total

0012353137005 191.63 36.97 228.60
Visa $ 228.60

ticket_11022015-33788993.doc (347)

Picture of fake American Airlines email with malware.

According to this awesome tool here: http://online-barcode-reader.inliteresearch.com that Pdf417 barcode just decodes to :

YGCMONER


 

Header Examples:

2 November 2015 

Spoofs or just uses vacprofessional.net in From headers and random junk in the Envelope headers (MAIL FROM connections string). Great domain choice.

Received: from 122-146-84-151.adsl.static.sparqnet.net [122.146.84.151]
X-Envelope-From: hairdressersg3 @royalnursery.com
From: "American Airlines@aa.com" <notify@hvacprofessional.net>
Subject: E-Ticket Confirmation

Received: from REIGFYP ([115.94.75.117]
X-Envelope-From: fluorocarbonuop94 @rofin-baasel.com
From: "American Airlines@aa.com" <notify@hvacprofessional.net>
Subject: E-Ticket Confirmation

Received: from 178.54.60.94.rev.vodafone.pt [94.60.54.178]
X-Envelope-From: notify @hvacprofessional.net
From: "American Airlines@aa.com" <notify@hvacprofessional.net>
Subject: E-Ticket Confirmation

Received: from koel-227-30.koelnet.com [89.252.227.30]
X-Envelope-From: sequesteringoz91 @rcdelectric.com
From: "American Airlines@aa.com" <notify@hvacprofessional.net>
Subject: E-Ticket Confirmation

 

Malware

2 November 2015

Attachment : malicious .doc file with macro and executable OLE object : ticket_11022015-33788993.doc

VirusTotal report | hybrid-analysis.com report 

This .doc file doesn't download an executable, it has one already inside it as an OLE object, called pm2.exe

Extracted executable : pm2.exe ( Pony password stealing malware )

VirusTotal report | hybrid-analysis.com report 

Also...

POSTs stolen data to :

wicytergo.ru/gate.php
unlaccothe.ru/gate.php
thetedrenre.ru/gate.php

... and downloads more malware from  :

eextensions.co/host.exe
www.10203040.at/host.exe
www.eshtari.me/host.exe

Downloaded executable : host.exe ( Vawtrak banking malware )

VirusTotal report | hybrid-analysis.com report 

Which attempts to contact C2 sites like :

basislabel.com/Work/new/index.php
camelcap.com/Work/new/index.php
castuning.ru/Work/new/index.php
circlewear.net/Work/new/index.php
finehotels.net/Work/new/index.php
guesstrade.com/Work/new/index.php
helloalliance.net/Work/new/index.php
hybridtrend.com/Work/new/index.php
ideagreens.com/Work/new/index.php
mgsmedia.ru/Work/new/index.php
ninthclub.com/Work/new/index.php
seaboy.net/Work/new/index.php

 

A later version, same day :

Attachment : malicious .doc file with macro and executable OLE object : ticket_AA77799543.doc

VirusTotal report | hybrid-analysis.com report 

This .doc file doesn't download an executable, it has one already inside it as an OLE object, called pu.exe

Extracted executable : pu.exe ( Pony password stealing malware )

VirusTotal report | hybrid-analysis.com report 

Also...

POSTs stolen data to :

wicytergo.ru/sliva/gate.php
unlaccothe.ru/sliva/gate.php
thetedrenre.ru/sliva/gate.php

... and downloads more malware from  :

eextensions.co/m.exe
www.10203040.at/m.exe
www.eshtari.me/m.exe

Downloaded executable : m1.exe ( Dyreza banking malware )

VirusTotal report | hybrid-analysis.com report 

Also...

Campaign ID:

manuk1

Checks in with these C2 sites:

107.181.174.68:443
109.196.1.13:4443
118.179.219.210:443
132.255.212.105:443
150.129.49.11:443
154.73.100.124:443
154.73.140.26:443
172.242.228.68:4443
173.185.166.94:4443
173.252.50.124:4443
176.106.122.32:443
178.168.109.92:443
179.49.117.33:4443
181.143.223.10:443
181.143.49.146:443
181.174.76.17:4443
185.46.217.70:443
185.49.68.145:4443
186.42.215.214:443
186.46.185.174:443
190.111.20.50:443
190.151.95.243:443
190.215.141.163:443
190.63.152.74:443
193.189.77.76:443
196.2.10.17:443
197.231.198.234:4443
197.254.104.166:4443
201.187.95.250:443
203.189.148.116:443
212.109.14.145:443
212.182.101.2:4443
217.30.78.174:443
31.40.1.32:443
41.191.118.234:443
41.203.118.202:443
41.215.182.109:443
41.75.67.249:443
41.75.68.226:443
41.75.68.242:443
41.77.130.160:443
46.143.196.142:443
46.44.28.44:443
51.254.98.180:443
62.233.252.206:443
62.233.252.247:443
78.58.131.116:443
78.8.174.25:443
83.241.176.230:4443
87.248.158.109:443
91.232.45.149:443
93.126.47.107:443