Large airline crashes tend to uniquely focus almost everyone's attention. Lowlife internet criminals are exploiting the fear connected to these incidents, and leverage it in phishing attacks.
A new campaign is underway that uses the recent Boeing 737 Max crashes as a way to infect workstations with both remote access and info-stealing Trojans. This new campaign was discovered by 360 Threat Intelligence Center, who posted about them on Twitter and include a VirusTotal link which shows the AV engines that catch it.
These emails pretend to be from a private intelligence analyst who found a leaked document on the dark web. This document pretends to contain information about other airline companies will be affected by similar crashes soon, and in broken English "kindly notify your loved ones about the informations on these file".
The emails are coming from an email address at firstname.lastname@example.org and have subject lines similar to "Fwd: Airlines plane crash Boeing 737 Max 8". They also contain a JAR file as an attachment with names similar to MP4_142019.jar. Here is a screenshot:
Bleepingcomputer confirmed that both H-Worm RAT and Adwind info-stealing Trojans were installed.
I suggest you send this reminder to your users. Feel free to edit, copy/paste:
"Airplane Crash Scam Warning. Be on the lookout for emails in your inbox from "analysts" about the recent Boeing 737 Max airplane crashes, asking you to notify your loved ones about possible other airlines "that will go down soon". These emails come with infected attachments that might make it through the filters, either at the office or at your house. Remember to always be alert about email with unknown attachments, and never open an attachment unless you are expecting it from the sender and have confirmed that they have actually sent it to you."
Let's stay safe out there.
Founder and CEO,