A gift from ZeuS for passengers of US Airways


On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:

There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.

The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link “Online reservation details”.

Different emails contained different links — for example, we noticed the following domains:,,

After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.

BlackHole Exploit Kit: redirections and infection

A typical BlackHole infection routine is used to infect users’ computers.
The first port of call after clicking the link in the email is a page with the following html code:

<h1 id="wait-please">WAIT PLEASE</h1>
<h3 id="loading">Loading</h3>
<script type="text/javascript" src=";removed&gt;/js.js"></script>
<script type="text/javascript" src=";removed&gt;/js.js"></script>
<script type="text/javascript" src=";removed&gt;/js.js"></script>
<script type="text/javascript" src=";removed&gt;/js.js"></script>
<script type="text/javascript" src=";removed&gt;/js.js"></script>
<script type="text/javascript" src=";removed&gt;/js.js"></script>

As a result, javascripts are loaded into the user’s browser from different domains. The javascripts contain a single command such as: document.location=’’. This command redirects the user to a page containing another, obfuscated, javascript.

This javascript’s job is to insert links into the html code of the page that then lead to the object with the exploit. So far, we’ve detected three types of objects: a JAR file, SWF file and a PDF document. Each object exploits a vulnerability in the respective application – Java, Flash Player or Adobe Reader — to execute malicious code in the targeted system. If a vulnerable version of even one of those applications is being used, the attack ends in infection – the malicious executable is loaded and run in the user’s system.

Malicious JAR, SWF and PDF documents are loaded from different domains — e.g.,, (domains info) — under the names Qai.jar, field.swf, dea86.pdf, 11591.pdf.

We detect these exploits as:

After successfully exploiting vulnerabilities, an executable file is downloaded from the same domains where the exploits are located. It can be downloaded under different names — about.exe, contacts.exe and others — and is essentially a downloader. When the downloader runs, it connects to its C&C at the URL “”, and downloads and runs another malicious program – ZeuS/ZBot or, to be more precise, a modification of one of the development branches of that Trojan known as ‘GameOver’ – on the user’s system.

ZeuS is downloaded from hacked sites such as:


At all the stages of this attack, every object — domains, links to javascripts, files with exploits, the downloader and ZeuS — was frequently replaced with a new one. The domains remained “alive” for nearly 12 hours, while the ZeuS samples were replaced more often.

During the short periods of time (a few hours over several days) that I was monitoring what files were being downloaded, I managed to detect 6 modifications of the downloader and 3 modifications of ZeuS.

To recap, a modification includes all the samples that are detected with the same verdict, hence number of detected programs is usually bigger than the number of verdicts.

Downloader verdicts:

Total number of programs detected with these verdicts: 250.

ZeuS verdicts:

Total number of samples detected with these verdicts: 127.

As I have already mentioned, these were only the verdicts I managed to record. There were undoubtedly more modifications throughout the course of this particular spam campaign.

Botnet identificators

It wasn’t just the ZeuS wrapper that was being changed (packer, anti-emulation), the malicious program itself was being recompiled. ZeuS contains a hardcoded botnet ID string and some IP addresses which the malicious program tries to connect to following infection. Those data were modified over time as well. According to the numbers of detected and analyzed samples, we can assume that ZeuS was being recompiled at every second repacking.

Having analyzed 48 versions of the different modifications of ZeuS that were used by cybercriminals in this attack, I discovered 19 unique botnet identificators:

chinz22 chinz24 blk25

mmz22 mmz24 mmz25
molotz25 NR22 NR23 NR24 NR25 ppcz22
ppcz23 ppcz24 rnato25 rubz22 rubz23 rubz24

In contrast to the conventional ZeuS program which usually contains a single URL to download a configuration file, each sample of GameOver has 20 hardcoded IP addresses with ports. Having infected the victim’s computer, GameOver tries to establish a connection to those addresses in order to inform a botnet about itself, retrieve information (e.g. web injects), send data stolen from the victim.

Of the 960 IP addresses contained in the 48 analyzed samples, just 157 of them are unique:

Attack geography

I presume that during this time spam emails with links to confirm US Airways flight reservations were not the only method used to spread ZeuS. Cybercriminals are nothing if not original. And even though this is not the first time they’ve used a flight-related trick, it’s the first time this particular kind of spam has been detected. If the recipients belong to a target audience, they are much more likely to click on a malicious link in an email. However, the majority of users who received these emails were not flying anywhere that day, which is why very few fell for the scam.

Obviously, for the period under review other spam emails were being sent including links that led to the same sites, the same exploits and the same malicious executable files mentioned above. I took a look at where the threats that were related in some way or another to this attack were detected by our users. Below you can see a geographical breakdown of the detected exploits, downloaders and ZeuS modifications used by the cybercriminals in this attack:

Russia 32.8%
USA 10.3%
Italy 9.2%
Germany 8.6%
India 6.9%
France 3.8%
Ukraine 3.6%
Poland 3.2%
Brazil 3.1%
Malaysia 3%
Spain 2.9%
China 2.7%

P.S. Here’s some information about the domains being used in the spam campaign described above
(it’s not the first time these registration details have been used to register other domains that participate in propagating malicious software via spam):
Registrant: Nicholas Guzzardi,
5536 Gold Rush Dr.NW
87120 Albuquerque
United States
Tel: +1.5053505497
Registrant: Renee Fabian,
2840 Center Port Circle
Pompano Beach, FL 33064
Registrant: Renee Fabian,
2840 Center Port Circle
Pompano Beach, FL 33064

Below you can find an excerpt of MD5-hashes of files Exploit.JS.Pdfka.fof
892693dbc749510fe530269d707fdb34 2D13BCEF58B8E29C52AF1D29F2E81544 0c341dab17d221b19d707254097bd9c0

Downloader ZeuS
0f7dc4fac417f2e5145d210ee5bc2129 02fbfc95c2f99490f9382ec704c1f1e5
102e6b401079b1be09bb47da9ee84bfe 081943d546a7364bfd7f3ae1360aa657
11b66c03801353c25c4bab7abd5f8588 1b83702cd12e4f8d48771ca1cbcaf034
0b95280b2ad4dff0daaf65d801df7535 2775cf95d5450bdb54cf537f35e8e504
0c720f41ecbcacf563630e0ac8739136 42de75c29dc058f14dab5fe94130a907
0c952e99a5014a2fd30c1c613ffb9671 432788a5e34a9be4989b3088eeec41ca
5e097d18a41035e73003d9e47adc232f 0299f2de435f6406ef8c5e51826d3e42
0b1165cfa99ae9383439e0c1a7e070fb 0f7664e04d4d62c4b4ad09b085109008
11a97068338efd774f744a9c4cd9afe7 46737ca337d178894532d570ad729089
4e44ca94f7682b7a8734025a05545a42 77e772b8d17d0ccd52be1fcbbdd71ee4
c94e90f9adc52e72c403ff79ea8b6cbc f6853b73db8a1e6105a0b2734974205e
73515909a2d6353714a5226577554688 ee80937bee1231f4223d98c4d4a56480

A gift from ZeuS for passengers of US Airways

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox