New spam delivers fake booking.com hotel reservations

Now is tourist season when lots of people are using online services to book hotels or flights. The Websense® ThreatSeeker® Network has detected spammers who are using fake booking.com email addresses to send hotel reservation confirmations with malware to unsuspecting users. 

Here's what the spam email looks like:

 

The sample email consists of a fake confirmation letter from "booking.com," which includes random arrival and departure dates and some other information. Attached to it is a .zip file:

 

 

Decompressing the .zip file exposes a malicious executable file, Hotel-Electronic-Reservation.exe. If users click on the file to run it, malware is installed. The Websense ThreatScope Analysis Report shows the specific behavior of this malware: 

When running, the malware tries to connect to the internet to download other malware files.

 

It also drop files into special folders and runs them automatically:

Websense customers are protected proactively against this compromise by ACE, our Advanced Classification Engine. Our real-time analytics also proactively identify several variants of this threat, and with the ThreatSeeker Network, we receive feedback in our email solutions that blocks messages containing these URLs and malicious files.