Spam E-mail Campaign Masquerading Delta Airlines
In an attempt to distribute pieces of malware, a reputed Swiss security blog has reported of a spam e-mail campaign leveraging the name and reputation of Delta Airlines.
The fake e-mail informs the recipients about the purchase of a ticket with their credit cards and contains a link leading to a fake site, where the ZIP archive pdf_delta_ticket.zip is provided for download. The archive also integrates a screensaver file that contains the Trojan, which currently contains a small detection rate.
According to a reputed Swiss Security Expert and Creator of the abuse.ch, Roman Hussy, this binary is packed by with a packer, which is entirely VM-aware for which it will only run on a indigenous machine. However, once these are infected, the systems attempt to contact various Citadel C&C servers that are situated in the similar subnet belonging to an ISP, Aztec Ltd, and that which have already been scheduled on Zeus Tracker by Hussy, as published by HELP NET SECURITY on February 19, 2013.
It is also held that this particular Citadel campaign is intended at organizations including the BMO Financial Group, RBC Royal Bank and CIBC.
While investigating into the upstream providers of ISP, Hussy also discovered some names that are easily recognizable to botnet researchers. It also recommends network operators to plunge any packets from or to the networks that are in the network's edge.
However, such spam campaigns are quite common. In fact, according to Hussy, 1-3 such campaigns are seen everyday. With this precise campaign, it is not dispatched out by spam botnet (usually Cutwail, Festi or Kelhios), but via compromised e-mail servers. Till now, about 30 spams sending SMTP (Simple Mail Transfer Protocol) were abused in this spam campaign, as published by abuse.ch on February 18, 2013.
To conclude, this is not the first time that these cybercriminals are sending out fake notifications in the name of Delta Airlines in an attempt to trick users towards installing malware. Even a few months ago, distribution of fake antivirus has been observed in a similar manner.