Latest Boeing 737 accidents used to spread malware via email spam

Hackers are persuading users to open a malicious file that allegedly contains information about the two recent Boeing 737 MAX 8 crashes

Latest Boeing 737 accidents used to spread malware via email spamHackers are delivering fake emails regarding the Boeing 737 MAX 8 accidents to distribute malware

Computer security specialists from the 360 Threat Intelligence Center have recently discovered a malware string which is being distributed by false email messages.[1] According to researchers, bad actors trying to convince users that the malicious attachment contains information about the compromise of other Boeing 737 MAX 8 planes used by other carriers.[2]

The rogue messages are coming from an email address and provide details about the Boeing 737 MAX 8 crash which happened just recently, when an airplane of Ethiopian Airlines took-off from Addis Ababa and suddenly crashed, resulting in deaths of 157 people.[3]

Additionally, crooks also describe another accident involving the same aircraft operated by Lion Air which occurred on 29 October 2018. Flight 610 was scheduled to fly from Soekarno–Hatta International Airport in Jakarta to Depati Amir Airport in Pangkal Pinang but crashed 12 minutes after take-off, killing all 189 passengers and crew on board.

While aircraft accidents are rare, they usually result in devastating consequences, so the investigations of such cases are significant not only for the families of the deceased but also investigators who consequently improve the security of the aviation for other passengers.

Due to the destructive nature of the events involving the same aircraft, there is a lot of controversies surrounding it. It is evident that cybercriminals are keen on abusing the sad occasion by distributing malware in malicious email attachments.

The JAR attachment that comes with the email message installs multiple payloads of RATs and data-stealers

Specialists from 360 Threat Intelligence Center have noted that the malicious message comes under the subject line “Fwd: Airlines plane crash Boeing 737 Max 8” and contains an attachment MP4_142019.jar.[4] If the user decides to open the malicious file, will be opened by JAVA and execute Houdini H-worm Remote Access Trojan, H-Worm RAT, and Adwind info-stealer. Antivirus programs such as AVG and Avast find the attached file as Java:Malware-gen [Trj].[5]

The email author pretends to be a “private analyst” that leaked the information about the alleged aircraft compromise on the dark web. The details of the message are as follows:

I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All passengers and crew were killed in the accident
Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff
The dead were of 35 different nationalities, including eight Americans.
On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff.
All 189 passengers and crew were killed in the accident.
note: there was a leak information from Darkweb which listed all the airline companies that will go down soon.
kindly notify your love ones about the informations on these file.
Joshua Berlinger
private inteligent analyst

A closer look might help to identify the fakery of the email message

If you are a meticulous and/or more-experienced user, you might find some differences between original emails that are sent by renown companies and their authorities, and the questionable ones, which often hint you to open attachments or click on cleverly-disguised hyperlinks.[6]

In this particular phishing email, it is easy to spot the mistakes:

  • “sunday” is not written with a capital “S”
  • “inteligent” instead of “intelligent”
  • “Love ones” instead “Loved ones”, etc.

All users should be cautious if they receive such messages, and broken spelling or grammar are the first signs of deception. Note that reputable, legitimate emails would not contain these mistakes and, in case the message is coming from a legitimate company, would include your real name in it. If you are not concerned about whether or not the message is real, you can contact the organization first (not by hitting “Reply” but finding contact details on the official website).

Additionally, phishing emails often contain attachments that come in various formats, including .doc, .js, .html, .txt, .pdf, and others DO NOT open them before making sure that the email is not fake. In general, always scan any type of files before opening them.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions