A spam campaign is using two recent crashes involving Boeing 737 Max aircraft to distribute malware to unsuspecting users.
Discovered by 360 Threat Intelligence Center, a research division of 360 Enterprise Security Group, the campaign sends out attack emails that come from “firstname.lastname@example.org” with the subject line “Fwd: Airlines plane crash Boeing 737 Max 8.”
Attackers are using topics regarding #Boeing 737 MAX 8 crash and seems an email account from @IsgecPresses has been abused to deliver the mails. The attachment is a JAR file which drops H-WORM RAT.
— 360 Threat Intelligence Center (@360TIC) March 15, 2019
Supposedly written by a private investigator named Joshua Berlinger, the emails reference two recent crashes involving Boeing 737 Max aircraft. In the first incident, Ethiopian Airlines Flight 302 crashed just minutes after taking off from Addis Ababa Bole International Airport on 10 March, killing 157 people in the process. The second incident occurred several months earlier on 29 October 2018 when a Lion Air Flight 610 crashed after taking off from Jakarta airport, killing 189 people.
The email goes on to discuss how the Berlinger persona found a document leaked on the dark web. This file purports to identify several companies that will suffer similar crashes involving Boeing 737 Max aircraft in the future. Under the guise of helping them protect their loved ones, Berlinger asks users to view the document by opening an attached JAR file named “MP4_142019.jar.”
Bleeping Computer creator and owner Lawrence Abrams explains what happens next:
If a user attempts to open the JAR file, it will be executed by JAVA on the computer. This attachment was originally thought to only install the Houdini H-worm Remote Access Trojan, but security researcher Racco42 felt that it was too large to just be that single malware.
In response, the security researcher ran the infection process through Any.Run and found that it also installs the Adwind information-stealing trojan. Bleeping Computer later confirmed this finding independently.
This is just the latest instance of digital attackers capitalizing on recent events to distribute malware. Back in 2017, for interest, the U.S. government warned people to be on the lookout for charity scams and phishing attacks in the wake of Hurricane Harvey. More recently, the Cybersecurity and Infrastructure Security Agency (CISA) pointed out that scammers are attempting to exploit the recent New Zealand mosque shooting to infect users with malware.
To protect themselves against these types of scams, users should exercise caution around suspicious links and email attachments. They should also familiarize themselves with the most common types of phishing attacks.