Cyber Security firm Comodo Threat Research Labs Discovered new Airtel Broadband Malware which mainly Spreading via Email Attachment with fake invoice with the subject of “Re:”  pretending to come from unknown sender of “airtelbroadband.in (or random senders)”  with a malicious zip attachment having “.JS” inside which works as Trojan downloader.

Comodo Researcher’s Said ,This malware has send to the victims by spoofed and masked send email address like [email protected]airtelbroadband.in. Mainly Attackers use email addresses and subjects that will scare or entice a user to read the email and open the attachment.

Airtel Broadband Malware Attachment are looks like a “zipfile” With executable “Js”. Most computer viruses are spread via email attachments. This does not come as a surprise, since email became one of the most used means of communication in the last decades.

It just takes seconds to make appointments, to send files or to communicate anything, whether it is personal or business related. But, it also only takes those few seconds to cause a lot of damage.

Airtel Broadband:

Bharti Airtel Limited is a leading global telecommunications company with operations in 20 countries across Asia and Africa. it offers 2G, 3G wireless services and mobile commerce. Bharti Airtel had over 307 million customers across its operations.

comodo Researchers said’ This Airtel Broadband Malware will be vulnerable to millions of Airtel Broadband Register user especially in india. comodo request to users to be aware from the malicious executable contains attachment emails .

Technical Malware Resources:

This Samples Email attachment shows the body of the mail has been force the victim to open the attachment file.

EMAIL DATA:

This email data showing the details of the email attachment , sender details ,subject of the mail and Filter result form comodo korumail antispam and threat prevention appliance.

Received-SPF: Received-SPF: unknown(0: domain at spf-trusted-fwd1.surgate.net does not designate permitted sender hosts)
From: Erma Cline <[email protected]>
Subject: Subscription Details
Date: Fri, 16 Dec 2016 17:29:09 +0530
MIME-Version: 1.0
Message-Id: <[email protected]>
X-SMTP-Filter: Korumail SMTP Filter Engine Korumail 6.5
X-KORUMAIL-Result: “Miscellaneous filter match”
X-KORUMAIL-Reason: attachment user6416620.zip blocked because of filter
rule: .zip$ action: REJECT
Content-Type: multipart/related; boundary=6248592184f8b6e4eb4f6ac181b19b9e

Email Attached “Js” file:

Extracted Source code:

This result showing the extracted source code of the malware contain “js file.

TRAFFIC :

Dropped attachment  file performed to capture the HTTP Request traffic find  the host of the file URL ” v- english.com/gfnb3r” which is  malicious line to drop the attached file.

Request URL Drop the file “gfnbr” .

Facts and Findings:

  • The Airtel broadband Malware  zip attachment contains .js file which works as a trojan downloader upon execution.
  • When .JS (Java script) file executes it tries to download malware binary from following file                   ” 26535-1481889541-140181.eml  (7,000bytes)
       ~_BA6I5B_~.js  (70,000 bytes)
         ogZWC9ed.zk   (169,000 bytes)
         rogZWC9ed  (169,000 bytes) “
  • However, obfuscated java script is not well written and throws error upon final execution.
  • Malicious .JS file Analysis Reports:


    1.SHA256 hash: 
    1e2db9b036dc85109e0bfadac229bfdd7a94d9cc75c91d7cf084b3e06c01ae1c
    File name:  rogZWC9ed.zk  (169,000 bytes)

    2.SHA256 hash:  ec603e5b385baf25bcf9f766a7c294c19602c06d2d5cf63b064c0e53cefc3460
    File name:  ogZWC9ed  (169,000 bytes)

     

Comodo suggesting  common prevention method for malware attacks via Email:

Tip 1: Don’t trust the display name
A favorite phishing tactic among cybercriminals is to spoof the display name of an email.

Here’s how it works: If a fraudster wanted to spoof the hypothetical brand “My Bank,” the email may look something like:

Since My Bank doesn’t own the domain “secure.com,” DMARC will not block this email on My Bank’s behalf, even if My Bank has set their DMARC policy for mybank.com to reject messages that fail to authenticate. This fraudulent email, once delivered, appears legitimate because most user inboxes only present the display name. Don’t trust the display name. Check the email address in the header from—if looks suspicious, don’t open the email.

Tip 2: Look but don’t click
Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it. If you want to test the link, open a new window and type in website address directly rather than clicking on the link from unsolicited emails.

Tip 3: Check for spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

Tip 4: Analyze the salutation
Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

Tip 5: Don’t give up personal information
Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up.

Tip 6: Beware of urgent or threatening language in the subject line
Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”

Tip 7: Review the signature
Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details.

Tip 8: Don’t click on attachments
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

Tip 9: Don’t trust the header from email address
Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address. Return Path found that nearly 30% of more than 760,000 email threats spoofed brands somewhere in the header from email address with more than two thirds spoofing the brand in the email domain alone.

Tip 10: Don’t believe everything you see
Phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it’s legitimate. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, don’t open it.