A new malspam campaign is underway that is trying to utilize the tragic Boeing 737 Max crashes as a way to spread malware on a recipient’s computer. These spam emails pretend to be leaked documents about imminent crashes that the sender states should be reviewed and shared with loved ones to warn them.
This new campaign was discovered by 360 Threat Intelligence Center, a research division of 360 Enterprise Security Group, who posted about them on Twitter.
Attackers are using topics regarding #Boeing 737 MAX 8 crash and seems an email account from @IsgecPresses has been abused to deliver the mails. The attachment is a JAR file which drops H-WORM RAT.
— 360 Threat Intelligence Center (@360TIC) March 15, 2019
The emails are coming from an email address at [email protected] and have subject lines similar to “Fwd: Airlines plane crash Boeing 737 Max 8”. They also contain a JAR file as an attachment with names similar to MP4_142019.jar.
These emails pretend to be from a private intelligence analyst who found a leaked document on the dark web. This document pretends to contain information about other airline companies will be affected by similar crashes soon.
The full text of the email can be read below.
Greetings I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All passengers and crew were killed in the accident Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff The dead were of 35 different nationalities, including eight Americans. On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff. All 189 passengers and crew were killed in the accident. note: there was a leak information from Darkweb which listed all the airline companies that will go down soon. kindly notify your love ones about the informations on these file. Regards Joshua Berlinger private inteligent analyst
If a user attempts to open the JAR file, it will be executed by JAVA on the computer. This attachment was originally thought to only install the Houdini H-worm Remote Access Trojan, but security researcher Racco42 felt that it was too large to just be that single malware.
internetnewsblog confirmed this by executing the attachment, which led to two malware files being installed in the %AppData% folder as shown below.
As always, beware of spam email with unknown attachments and never open an attachment unless you are expecting it from the sender and have confirmed that they have actually sent it to you. Otherwise, you never know what you will be opening and potentially infecting yourself with.