By Dancho Danchev
British Airways customers, watch out!
Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails.
Sample screenshot of the spamvertised email:
Sample detection rate for the malicious attachment:
MD5: b46709cf7a6ff6071a6342eff3699bf0 – detected by 39 out of 46 antivirus scanners as Worm:Win32/Gamarue.I
Upon execution, it creates the following mutex on infected hosts:
It also initiates POST requests to the following IP:
As well as DNS requests to the following hosts:
zzbb45nnagdpp43gn56.com – 18.104.22.168
a9h23nuian3owj12.com – 22.214.171.124
zzbg1zv329sbgn56.com – 126.96.36.199
http://www.update.microsoft.com – 188.8.131.52
The IPs are currently sinkholed by Abuse.ch.
Webroot SecureAnywhere users are proactively protected from these threats.