Backdoor Trojan disguised as flight confirmation email hits German internet users

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

German internet users should be on their guard today, after malware was widely spammed out posing as a flight confirmation from Lufthansa.

Malicious email. Click for larger version

Subject: Flugdetails & Reiseinformationen
Attached file: Flugscheindetails.zip

Falls Sie diese Reiseinformation nicht oder nur teilweise lesen konnen, offnen Sie bitte die angehangte PDF-Version. Bitte antworten Sie nicht auf diese E-Mail. Direkt-Antworten an den Absender konnen nicht bearbeitet werden. Um mit Lufthansa in Kontakt zu treten, rufen Sie bitte den Hilfe & Kontakt-Bereich auf www.lufthansa.com auf.

Sign up to our free newsletter.
Security news, advice, and tips.

Flugscheindetails & Reiseinformationen in der beigefugten Datei

* Den Passenger Receipt (Rechnungsbeleg) erhalten Sie durch einen Klick auf die Flugscheinnummer bis 30 Tage nach Reisebeginn.

Of course, the emails don’t really come from Lufthansa – but it’s likely that some internet users will have been duped into clicking on the attachment, even if they aren’t planning to travel anywhere, our of sheer curiousity.

The attached ZIP file contains a file called Flugsheindetails.PDF.exe, clearly named in an attempt to trick the unwary into believing it is a PDF.

Running the program, installs its malicious code onto the computer, disguising itself as svchost.exe to allay the suspicions of anyone checking the list of running processes. A Registry key of SunJavaUpdateSched is also set.

Lufthansa aircraft. Image from ShutterstockMeanwhile, behind the scenes, the code has opened a backdoor on your compromised computer – allowing a third party hacker to send commands, and potentially steal information or install further malware on your computer.

Sophos products detect the ZIP file as Mal/DrodZp-A, and the EXE as Mal/EncPk-AFN.

Although German-speaking computer users are clearly the ones being targeted on this occasion, the same social engineering trick is likely to work in any language.

Everyone should be on their guard from unsolcited emails, carrying strange attachments.

Thanks to SophosLabs researcher Richard Wang for his assistance with this article

Lufthansa aircraft image from Shutterstock.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.