German Users Warned About Fake Trojan-Spreading Lufthansa Emails

Security experts warn German users to be on the lookout these days for bogus notifications apparently coming from the country’s largest airline, Lufthansa.

“Falls Sie diese Reiseinformation nicht oder nur teilweise lesen konnen, offnen Sie bitte die angehangte PDF-Version. Bitte antworten Sie nicht auf diese E-Mail. Direkt-Antworten an den Absender konnen nicht bearbeitet warden,” read the fake notifications.

The flight confirmations – which have been making the rounds for around one month – are well designed, but they have nothing to do with Lufthansa. Instead, they’re part of a spam campaign whose main goal is to spread a Trojan detected by Sophos solutions as Mal/EncPk-AFN.

To avoid raising any suspicion, the malware is hidden in an archive file called “Flugscheindetails.zip.” The archive contains a file named Flugsheindetails.PDF.exe.

When launched, this executable (disguised as a PDF document) installs malicious code and modifies registry keys, allowing cybercriminals to steal information and install other pieces of malware.