14 DAY TRIAL // Email messages claiming to deliver details about an airplane ticket purchase from American Airlines have been spotted in the wild carrying a link to Pony/Fareit infostealer, which is instructed to download another threat called Rovnix.
In previous analyses, security researchers determined that both pieces of malware come with password-stealing features and they can download other threats on the compromised computer.
Email looks legitimate
Recipients of the rogue emails can be easily tricked into believing that the communication is legitimate as the sender’s address is spoofed ([email protected]) to look like it belongs to the airline company.
The link to the initial piece of malware (Pony) also appears to be a safe one, as it is not shortened. However, it is actually a hyperlink, and although it mimics a URL from American Airlines, it accesses a resource from a different location.
If the user decides to select the URL and paste it in a web browser, they will find a 404 page instead of the company’s website.
It is important to note that the email is devised in a way that does not raise suspicions. The cybercriminals provide information about the flight numbers, the departing location and the price of the ticket. Moreover, a legitimate link to American Airlines technical support page is present.
Malware seems hosted on compromised web servers
Once Pony is installed on the system, it runs routines for downloading Rovnix, which is hosted on different websites that appear to have been compromised.
Samples of the malicious email have been captured and analyzed on Monday by Brad Duncan on his Malware-Traffic-Analysis blog, where he offers details about the domains associated with the campaign, the traffic from an infected machine and the hashes for the threats.
According to the traffic analysis (PCAP file here) captured from a compromised system, the communication with the command and control (C&C) server (heckwassleftran[.]ru, access is password protected) is carried out via GET and POST requests.