A new malspam campaign is underway that is trying to utilize the tragic Boeing 737 Max crashes as a way to spread malware on a recipient’s computer. These spam emails pretend to be leaked documents about imminent crashes that the sender states should be reviewed and shared with loved ones to warn them.
This new campaign was discovered by 360 Threat Intelligence Center, a research division of 360 Enterprise Security Group, who posted about them on Twitter.
The emails are coming from an email address at info@isgec.com and have subject lines similar to “Fwd: Airlines plane crash Boeing 737 Max 8”. They also contain a JAR file as an attachment with names similar to MP4_142019.jar.
If a user attempts to open the JAR file, it will be executed by JAVA on the computer. This attachment was originally thought to only install the Houdini H-worm Remote Access Trojan, but security researcher Racco42 felt that it was too large to just be that single malware.
After running it through Any.Run, he saw that in addition to installing H-Worm RAT, it was also installing the Adwind information-stealing Trojan.
BleepingComputer confirmed this by executing the attachment, which led to two malware files being installed in the %AppData% folder as shown below.
The ntfsmgr.jar is the Adwind Trojan [VirusTotal] and the VBS file, shown below, is the H-Worm RAT [VirusTotal].
H-WORM RAT
As always, beware of spam email with unknown attachments and never open an attachment unless you are expecting it from the sender and have confirmed that they have actually sent it to you. Otherwise, you never know what you will be opening and potentially infecting yourself with.
———————————————————————
From : BLEEPINGCOMPUTER / March 16, 2019
Link : https://www.bleepingcomputer.com/news/security/spam-warns-about-boeing-737-max-crashes-while-pushing-malware/