If you have booked a flight from Qantas recently, you might be expecting a booking confirmation in your email inbox. Be wary however, because there are opportunist cyber crooks that spam out fake Qantas booking receipts. This malicious spam has been actively sent by the Cutwail botnet in the last few days.
When run, the malware drops a file in the infected system:
%AllUsersProfile%\<MalwareName>.exe (e.g.C:\Documents and Settings\All Users\dxssogpn.exe)
It also creates an autorun registry to ensure execution after Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched = "C:\Documents and Settings\All Users\<MalwareName>.exe"A registry is also created to add the Trojan in the Windows firewall exception list:
HKEY_LOCAL_MACHINE\SSYTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Documents and Settings\All Users\<MalwareName> = "C:\Documents and Settings\All Users\<MalwareName>.exe:*:Enabled:<MalwareName>"
It then executes a legitimate Windows file MSIEXEC.EXE and injects itself to that process.
The Trojan phones home to its command and control server and then sends and receives encrypted data:
Afterwards, It downloads an additional malicious executable file which in this case is a Zbot Trojan, a notorious Trojan that is capable of stealing banking information.
The Andromeda bot behaves differently in a monitored and debugged environment. It utilizes several anti-debugging and anti-VM (virtual machine) techniques. When it encounter that it’s being debugged, it connects to TCP/IP address 0.0.0.0 and listens to port 8000, after which, it runs a new instance of CMD.EXE.
Cybercriminals have been actively spamming out Andromeda loaders for the past year. The spam themes vary from flight, courier, tax, hotel, payroll, invoice, social media and among others. Most of the time the spam campaigns are very legitimate looking. It may be hard to spot whether it’s a malicious email. But if you are cautious, you will easily tell a legitimate and a fake email. If you are technical enough, you may want to check if the attachment is an executable file, however for most people this may be too hard. Just be distrustful when you see unsolicited email in your inbox especially if you do not expect it. You can verify the sender but if you can’t, just delete it and you should be fine. And also, avoid clicking on links in the email.