Sophos Cloud Optix
German internet users should be on their guard today, after malware was widely spammed out posing as a flight confirmation from Lufthansa.
Subject: Flugdetails & Reiseinformationen
Attached file: Flugscheindetails.zipFalls Sie diese Reiseinformation nicht oder nur teilweise lesen konnen, offnen Sie bitte die angehangte PDF-Version. Bitte antworten Sie nicht auf diese E-Mail. Direkt-Antworten an den Absender konnen nicht bearbeitet werden. Um mit Lufthansa in Kontakt zu treten, rufen Sie bitte den Hilfe & Kontakt-Bereich auf www.lufthansa.com auf.
Flugscheindetails & Reiseinformationen in der beigefugten Datei
* Den Passenger Receipt (Rechnungsbeleg) erhalten Sie durch einen Klick auf die Flugscheinnummer bis 30 Tage nach Reisebeginn.
Of course, the emails don’t really come from Lufthansa – but it’s likely that some internet users will have been duped into clicking on the attachment, even if they aren’t planning to travel anywhere, our of sheer curiousity.
The attached ZIP file contains a file called Flugsheindetails.PDF.exe, clearly named in an attempt to trick the unwary into believing it is a PDF.
Running the program, installs its malicious code onto the computer, disguising itself as svchost.exe to allay the suspicions of anyone checking the list of running processes. A Registry key of SunJavaUpdateSched is also set.
Meanwhile, behind the scenes, the code has opened a backdoor on your compromised computer – allowing a third party hacker to send commands, and potentially steal information or install further malware on your computer.
Sophos products detect the ZIP file as Mal/DrodZp-A, and the EXE as Mal/EncPk-AFN.
Although German-speaking computer users are clearly the ones being targeted on this occasion, the same social engineering trick is likely to work in any language.
Everyone should be on their guard from unsolcited emails, carrying strange attachments.
Thanks to SophosLabs researcher Richard Wang for his assistance with this article
Lufthansa aircraft image from Shutterstock.
Would it be a safe bet to view all double extension items as malware?
definitely when it ends with .exe – Problem is though, that most of the people who would fall for that don’t have activated the option to show the file extensions when their System knows the extension, this leads to the situation that a file named xyz.pdf.exe is only shown as xyz.pdf with the exe hidden – you see where I want to go.
Also, there are legitimate double extension files like xyz.tar.gz .
So it would be safer, yes, but not for every configuration visible on first sight and it also leads to false positives.
Grammar and spelling became bloody good. :-/ (or is it Google translate 😉 )
Subsequently focus on spelling details e.g. können instead of konnen
Also with regard to German spelling:
"Flugsheindetails.PDF.exe" should read "Flugscheindetails.PDF.exe" (with a "c").
Is that your error or the malware writer's error?
Also, would it bean idea to get the text of the email translated into English for the benefit of your non-German-reading readers?
Thanks,
Richard P
So, what is going to happen once I opened that Email , what I did on my I pad…???