Image

Image

Image

"The email is designed to scare you into thinking someone bought an airplane ticket using your identity. You then panic and click on one of the links in the email in order to figure out how someone could do an unauthorized purchase with your credentials."Clicking on a link redirects the recipient to one of several compromised websites hosting Word Documents. If the user downloads the document and opens it, the common phishing-based malware Hancitor uses PowerShell to infect the machine's legitimate system processes. At that point, the computer connects to a command and control (C&C) server from which it retrieves Pony. This credential-stealer terminates the campaign by downloading Zloader, a banking malware family. This isn't the first time we've seen Hancitor and Pony leverage malicious Word documents to distribute banking malware. With that said, users should protect themselves by disabling macros in Office documents by default. They should also exercise caution around suspicious links and email attachments. That goes especially for Delta Air Lines receipts with no flight information.