We recently noticed that there has been an increase in spammed messages that use airline information as bait. These messages are made to look like notifications from airlines such as Delta Airlines, British Airways, US Airways, and American Airlines. Each message comes with an attachment—often in the form of a fake e-ticket—that recipients are supposed to open. This attachment is actually a BKDR_KULUOZ variant.
Figure 1. Screenshot of sample spam
KULUOZ variants are known to download and execute other malware, such as SIREFEF/ZACCESS and FAKEAV variants. KULUOZ variants are also evolving: we’ve even seen one variant, detected as BKDR_KULUOZ.MN, that collect system information including the antivirus installed in the affected computer. This is a routine previously unheard of from this malware family.
While we have seen KULUOZ spam in the past, there have been no significant change in numbers in the past several months. KULUOZ spam now represents nearly half of all malicious spam attachments.
Figure 2. Breakdown of spam attachments over a one-week period
Based on our investigation, this batch of BKDR_KULUOZ is distributed by the Cutwail/Pushdo botnet. Previously, we noted that the said botnet was responsible for sending out Blackhole Exploit kit (BHEK)-like spam that serve UPATRE variants.
Previous instances of KULUOZ spam used shipping and airline notifications as bait. The exclusive use of airline tickets in this new campaign could be a deliberate move, considering people frequently travel over the holidays. Victims may be more inclined to click attachments if they’re actually expecting airline tickets.
Users should remain extremely careful when opening messages. Since most messages are specially crafted to look as legitimate as possible, it’s ideal to double-check with the sender to see if an email is legitimate. Trend Micro Smart Protection Network blocks all related threats in this attack.
With additional insights from Merianne Polintan, Jerwin Solidum, Maydelene Salvador, and Mark Manahan.