Delta Air Lines Phishing Email Downloads Malware Hancitor

Another phishing campaign has been discovered by Heimdal researchers, taking advantage of Delta Air and downloading Hancitor malware. The potential victim receives an email disguised as a payment confirmation email from the company.

Your Order with Delta Air Lines Has Been Confirmed Phishing Scam

Conforme explicado pelos pesquisadores, using an airline to masquerade malicious intentions is not random, since many airlines offer discount rates for summer flights at this time of the year. If you have received an email with a subject line “Your order [números] with Delta Air Lines has been confirmed!” without having made a reservation, proceed with caution!

Here is what the spam email containing malware looks like:

As with every phishing email, a careful eye would immediately spot several inaccuracies pointing to the unauthentic origin of the message:

  • Em primeiro lugar, the email address is not legitimate and does not belong to the said company. If it was the company’s email, it should have ended with “” not “@deltaa”.
  • No specific information about the flight is given. If this was truly a confirmation email, it should have contained details about the booked flight, and uses the lack of information to lure the user into clicking the provided link.
  • The visual format of the email does not correspond to Delta’s usual emails. If you are a customer of the company, you should definitely find this inaccuracy suspicious.

To compare the two emails and see the differences for yourself, here is what a legitimate email sent by the company looks like:

More About the Delta Air Phishing Campaign

Hancitor Malware and Zloader Downloaded onto Compromised Systems

The email s obviously created to scare the user into believing that someone used their credentials and identity to buy an airline ticket. The user would typically panic and would interact with the provided links, which is in fact a very bad idea. The links would redirect the user to infected websites that host Microsoft Word documents containing the Hancitor malware. Hancitor is a versatile piece of malicious code which is often employed in phishing attacks.

The malware is typically used as a bridge to enable future attacks on the compromised system. This means that more malware is about to be downloaded on the computer.

relacionado: [wplinkpreview url =””]Aberturas de trabalho para usuários do LinkedIn ativos Phishing Scam Detectado

Once the user downloads Hancitor via the malicious Word document the malware will be activated. Como um resultado, legitimate system processes will be infected via a PowerShell code. Então, the infected system will be connected to one or more Command and Control servers.

Finalmente, additional malware of the Pony malware family will be downloaded.
As we have previously written, Pony was first introduced in the cyber world years ago. The infamous information stealer has been used to spread Zeus and Necurs Trojans, as well as Cryptolocker and Cribit ransomware.

Mais especificamente, this phishing attack uses Zloader, which is a Pony-based malware. Zloader is a banking malware targeted at victims’ bank accounts.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar