The Trend Micro Content Security team discovered spoofed email messages that pretend to be from Delta Airlines. The fake email message contains a confirmation numbers of supposed ticket purchase and a ZIP file. Recipients are told that this said file contains details on the travel itinerary.
Here’s a screenshot of a spammed message:
Figure 1. Sample spam.
The ZIP file is, of course, a malicious file detected by Trend Micro as TROJ_DELF.PSZ.
Figure 2. Malicious file.
The Trojan automatically runs at every system startup by modifying a registry entry. It has rootkit routines which enable the binary to hide its processes, files, or registry entries. The file also connects to a website to download files. This exposes an infected system to more threats.
This would not be the first time cybercriminals used airline tickets as bait. A fake American Airlines website was used for phishing late last year. The fact that airline tickets are relatively inexpensive now could also be a factor in the proliferation of these types of threats. Users may think they’re having a free vacation but in fact their PCs are already being infected with malware.
The Trend Micro Smart Protection Network already blocks TROJ_DELF.PSZ and provides solutions for its cleanup and removal.