Trustwave’s SpiderLabs has analyzed the malicious messages

Jun 27, 2013 08:06 GMT  ·  By

Back in December 2012, airline company Qantas issued a warning about bogus emails purporting to come from the company. According to experts, the malicious “seat selection” notifications are still doing the rounds.

Researchers from Trustwave’s SpiderLabs say the spam emails are sent out by the Cutwail botnet.

The bogus messages carry a ZIP file that contains an executable of an Andromeda bot loader, also known as the Gamarue Trojan.

Once the malware is executed, it creates registry entries to make sure it’s loaded on every startup, and it adds itself to the Windows firewall exception list.

After this phase is completed, the threat starts communicating with its command and control (C&C) server. In the end, an additional executable file is downloaded.

This file is actually a version of the ZeuS malware, the notorious Trojan that’s designed to steal financial information from the infected computer.

“Cybercriminals have been actively spamming out Andromeda loaders for the past year. The spam themes vary from flight, courier, tax, hotel, payroll, invoice, social media and among others. Most of the time the spam campaigns are very legitimate looking. It may be hard to spot whether it’s a malicious email,” experts explained.