New malspam campaign disguised as leaked documents about Boeing 737 Max crashes delivers two malware

• The malspam emails disguised as leaked documents that contain information about the Boeing 737 Max crashes distribute malware to the recipients’ computer.
• The emails include a malicious JAR attachment, that when opened installs the H-Worm RAT on the victim’s computer.

What is the issue - A new malspam campaign was observed by 360 Threat Intelligence Center.

The malspam emails disguised as leaked documents that contain information about the ‘Boeing 737 Max crashes’ distribute malware to the recipients’ computer.

“Attackers are using topics regarding #Boeing 737 MAX 8 crash and seems an email account from @IsgecPresses has been abused to deliver the mails. The attachment is a JAR file which drops H-WORM RAT. C2: pm2bitcoin[.]com brothersjoy[.]nl,” 360 Threat Intelligence Center tweeted.

Why it matters - The malspam emails purport to come from private intelligence analyst who detected the leaked document in the DarkWeb that contains information about the airlines that will be affected by similar crashes.

The emails include a malicious JAR attachment, that when opened installs the H-Worm RAT to the victim’s computer.

Contents of the email

These phishing emails have subject lines such as ‘Fwd: Airlines plane crash Boeing 737 Max 8’ and come from email address ‘ info@isgec[.]com’.

“Greetings, I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All passengers and crew were killed in the accident. Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff. The dead were of 35 different nationalities, including eight Americans. On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff. All 189 passengers and crew were killed in the accident.

note: there was a leak information from Darkweb which listed all the airline companies that will go down soon. kindly notify your love ones about the informations on these file,” the email read, BleepingComputer reported.

Worth noting - A security researcher who goes under the name ‘Racco42’ detected that in addition to delivering H-Worm RAT, the phishing emails also distribute Adwind info-stealing trojan.