Gamarue Malware Hides in Hotel Booking Confirmations Sent to German Users

Back in May 2012, security experts started issuing warnings about malicious hotel booking confirmations designed to spread a nasty piece of malware. At the time, the emails were aimed at English speaking users, but now they’ve been adapted to target German internauts.

Trend Micro experts have identified a malicious notification purporting to come from Brenners Park-Hotel and Spa in Austria. Similar to the early variants, the emails attempt to trick recipients into opening an attachment that allegedly contains reservation details.

In reality, the attached file hides BKDR_ANDROM.P – a variant of the Gamarue/Andromeda malware – which is capable of performing its malicious tasks on both Windows XP and Windows 7 (32-bit and 64-bit versions) systems.

Once it makes itself “cozy” on a computer, the malware attempts to contact one of its six command and control (C&C) servers. The C&C orders the malicious element to retrieve information from the infected device and download an additional plugin from a compromised Australian site.

Researchers have found that a .pl domain – registered with Domain Silver Inc. – was the only one active at the time when the email was discovered. They contacted CERT Poland, which rushed to take it down.

This particular infection campaign appears to have impacted mostly users from Germany (30%), Australia (25%), Singapore (11%) and Italy (8.7%).

According to experts, like other similar threats, Gamarue is modularized. In this particular case, the malware has been encrypted to prevent researchers from analyzing it in a Virtual Machine environment.

Besides downloading files, Gamarue is also capable of modifying registries, connecting to arbitrary URLs and executing files.

Trend Micro is actively blocking all the domains and links found to be connected to this malware. Furthermore, emails are being blocked before reaching inboxes.

However, this instance clearly shows that cybercriminals are constantly working on improving their operations and one “bump in the road” will probably not make them give up. That’s why users are always advised to be cautious when presented with such emails.