New Trickbot Campaign Distributing Phishing Emails via Legitimate Cloud Services
Last updated June 23, 2021
Phishing actors and deceptors are quick to react to anything that is happening in real life, and take advantage of the current state of affairs to promote their own malicious goals. In this context, a new mail-spamming campaign is ongoing right now, which is based on the people's fear of flying in a Boeing 737 MAX 8. As all airplanes of this type have been grounded for good and will remain grounded until the recent crash investigations are concluded, all of the emails that claim to offer some insight on future crashes are entirely fake.
Attackers are using topics regarding #Boeing 737 MAX 8 crash and seems an email account from @IsgecPresses has been abused to deliver the mails. The attachment is a JAR file which drops H-WORM RAT.
C2: pm2bitcoin[.]com
brothersjoy[.]nlhttps://t.co/qs6XhKMU3k pic.twitter.com/3aJWTKO2bT— RedDrip Team (@RedDrip7) March 15, 2019
The full spam mail text that is sent from a compromised address ([email protected]) is the following:
“Greetings
I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All passengers and crew were killed in the accident
Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff
The dead were of 35 different nationalities, including eight Americans.
On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff.
All 189 passengers and crew were killed in the accident.
note: there was a leak information from Darkweb which listed all the airline companies that will go down soon.
kindly notify your love ones about the informations on these file.
Regards
Joshua Berlinger
private inteligent analyst”
Those who are cautious would catch the errors that almost always accompany phishing emails. The word “sunday” is not capitalized, the word “informations” cannot be written in plural, and the word “inteligent” is written with a double “L”. As is also usual in phishing emails, this one is accompanied by an attachment which is a JAR file (Java executable). Running the attachment installs the “H-Worm RAT” and the “Adwind” information-stealing Trojans. So, the JAR file contains not one, but two malware tools, increasing the chance of gathering information from the infected machine, and decreasing the change of an anti-virus tool removing them both.
According to reports from other users, this campaign is global, as there is an abundance of airlines using the particular model. That said if you receive an email claiming to have leaked information that warns you of an imminent airplane crash, put sanity first and think with composure and coolness about the claims for a moment. And for crying out loud, do not ever open executables or any attachments whatsoever, that come as unexpected, from unknown sources, with bold claims. Staying protected is as simple as that.
Have you received a warning about an impending 737 MAX 8 crash? Share your experience in the comments section beneath, and share this story through our socials, on Facebook and Twitter.