The message rar attachment contains an executable file: the malware itself. Stolen data is exfiltrated with smtp.
Technical analysis by the Malware Hunter JAMESWT
The MH370 tragedy lure for a new cybercrime scam campaign. The fake vice chairman of a Turkish bank, managing the asset of a man killed in the Malaysia Airlines flight crash, offers to divide it with the potential victim
Cybercrime hackers used the Malaysia Airlines flight 370 tragedy for a new scam campaign. The victims receive a mail from a supposed vice chairman of the Audit Committee of the Turkey’s Ziraat Bank.
Inside there is a clear referral to the MH370/MAS370 crash and the death of a Chinese businessman with his family. The author added the passenger list to strengthen the trap.
He offers to divide the offers to divide the passenger’s assets, held by the bank, by 50% and asks for user’s full cooperation to achieve the operation. The real goal is only to gain the trust of the target and then steal sensitive information such as the bank account number and, sometimes, get payments in advance, which will never be refunded. Usually, the specialists of this kind of scam are African groups (Nigerians in particular, but not only).