HackDig : Dig high-quality web security articles for hackers

ThreatSecure Catches Air Canada Ticket Malware En Route

2014-08-15 09:18

For our blog readers, we wanted to share a quick look at how ThreatSecure’s proactive behavior-based malware detection identified a new malware sample attacking networks via email, as well as the threat analysis and details it provides users.

At RSA Conference 2014, ThreatTrack Security launched the ThreatSecure email appliance, a new approach to catching email-based malware attacks that evade traditional signature-based defenses.

The email (pictured below) was directed to an employee inbox purporting to be from Air Canada and directing the recipient to download and print their ticket. (Note: Air Canada was not hacked, nor were they part of this malware. The malicious URL distributing a previously unidentified malware is simply being masked to look like it’s coming from Air Canada.)

Air Canada Spam, ThreatSecure,

Click to enlarge

The link hxxps://www.aircanada.com/travelInformation/viewOrderInfo.do?action=download&fid=QB820910108CA pointed to another address, hxxp://alienstub.com/pdf_ticket_820910108.zip, which hosts the malware, a zipped malicious file. Once the zip file is decompressed, the user will see a file called pdf_ticket_820910108.pif

Analysis by ThreatSecure quickly revealed the sample as an exploit categorized with a high severity (see in-product analysis screen below), exhibiting malicious behavior like disabling the Windows firewall, changing proxy settings in Internet Explorer, opening the command prompt, creating executable files and connecting to Windows Remote Access Connection Manager.

Air Canada df_ticket_820910108_pif analysis, ThreatSecure,

Click to enlarge

At the time of receiving the ThreatSecure analysis, none of the 51 antivirus vendors on VirusTotal detected the sample.

In addition to the risk assessment above, ThreatSecure provided the following Threat Details for the security administrator to take corrective action and address the threat.

x-dosexec, ThreatSecure, Air Canada

Click to enlarge

At the time of posting this blog, 16 / 51 antivirus vendors on VirusTotal detect this file as being malicious.

The domain hxxp://alienstub.com appears to be registered in China, and is protected by the Whois Privacy Protection Service. The site is also being protected by CloudFlare Inc. 

The post ThreatSecure Catches Air Canada Ticket Malware En Route appeared first on ThreatTrack Security Labs Blog.

Source: /IhMtTZlu9ZT/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

“ThreatSecure Catches Air Canada Ticket Malware En Route”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud