Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed

Search

Malspam Campaign Being Delivered Via Phony Leaked Boeing 737 Max Documents

Information regarding the crashes of the Boeing 737 Max planes have been a hot topic since the accidents occurred and hackers are now taking advantage of that. A tweet was sent out by a research company that provided small details of the email being received: “Attackers are using topics regarding #Boeing 737 MAX 8 crash and seems an email account from @IsgecPresses has been abused to deliver the emails. The attachment is a JAR file which drops H-WORM RAT. C2: pm2bitcoin[.]com brothersjoy[.]nl.” The sender claims to be a private intel analyst who found info on the Darkweb about other crashes that “will happen.” An example of one of the emails was posted online which reads, “Greetings, I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on Sunday 10 March 2019, All passengers and crew were killed in the accident. Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff. The dead were of 35 different nationalities, including eight Americans. On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff. All 189 passengers and crew were killed in the accident. Note: There was a leak information from Darkweb which listed all the airline companies that will go down soon. kindly notify your love ones about the information on these files.” Aside from the H-Worm RAT, the emails also deliver the Adwind Information Stealing Trojan.

Analyst Notes

Users should be on the look-out for any emails coming from the sender listed above. Although the emails are believed to be coming from one sender, it does not mean the email address cannot be changed. If one of these emails is opened, things like misspellings and random capitalizations can help clarify if the email is legitimate or not. If the email includes an attachment, it should never be opened unless the sender can be verified.