German internet users should be on their guard today, after malware was widely spammed out posing as a flight confirmation from Lufthansa.
Subject: Flugdetails & Reiseinformationen
Attached file: Flugscheindetails.zipFalls Sie diese Reiseinformation nicht oder nur teilweise lesen konnen, offnen Sie bitte die angehangte PDF-Version. Bitte antworten Sie nicht auf diese E-Mail. Direkt-Antworten an den Absender konnen nicht bearbeitet werden. Um mit Lufthansa in Kontakt zu treten, rufen Sie bitte den Hilfe & Kontakt-Bereich auf www.lufthansa.com auf.
Flugscheindetails & Reiseinformationen in der beigefugten Datei
* Den Passenger Receipt (Rechnungsbeleg) erhalten Sie durch einen Klick auf die Flugscheinnummer bis 30 Tage nach Reisebeginn.
Of course, the emails don’t really come from Lufthansa – but it’s likely that some internet users will have been duped into clicking on the attachment, even if they aren’t planning to travel anywhere, our of sheer curiousity.
The attached ZIP file contains a file called Flugsheindetails.PDF.exe, clearly named in an attempt to trick the unwary into believing it is a PDF.
Running the program, installs its malicious code onto the computer, disguising itself as svchost.exe to allay the suspicions of anyone checking the list of running processes. A Registry key of SunJavaUpdateSched is also set.
Meanwhile, behind the scenes, the code has opened a backdoor on your compromised computer – allowing a third party hacker to send commands, and potentially steal information or install further malware on your computer.
Sophos products detect the ZIP file as Mal/DrodZp-A, and the EXE as Mal/EncPk-AFN.
Although German-speaking computer users are clearly the ones being targeted on this occasion, the same social engineering trick is likely to work in any language.
Everyone should be on their guard from unsolcited emails, carrying strange attachments.
Thanks to SophosLabs researcher Richard Wang for his assistance with this article
Lufthansa aircraft image from Shutterstock.