Phishing and malware attacks are among the more democratic and populist threats on the Internet. You don’t have to stand in the crowd in order to be targeted; the attackers will get to you sooner or later. But while most malware campaigns are aimed at the masses, attackers often save their best stuff for high-value targets, as a recent campaign targeting American journalists and activists from the EFF shows.
The EFF is well-known for its advocacy of privacy, digital and human rights and security and its staffers often write extensively about abuses, especially in countries such as Syria, Iran, Vietnam, China and Egypt. In late December, a pair of EFF employees received an email purporting to be from someone at Oxfam, the global anti-poverty and human rights organization. The email had a couple of links in it, which supposedly would allow the recipients to download information about the “Asia Conference” that the message was pitching. But the links were hosted on Google Drive, rather than an Oxfam site, which raised the EFF’s suspicions right away.
“This targeting is especially interesting because it demonstrates some understanding of what motivates activists. Just as journalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open documents pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences. For greater verisimilitude, the attacker should have included an offer to pay for flights and hotels,” Eva Galperin and Morgan Marquis-Boire wrote in an analysis of the malware.
The messages also contained two attachments, which are actually the same file. The same malware was also contained in an email that was sent to a reporter from the Associated Press, but this time disguised as a white paper on human rights. The link in the email to the AP downloaded an HTML application that had a Word document and an executable. The executable will install a long list of other files on an infected machine and make some changes to the registry, which allow the malware to survive reboots.
There is a another file that’s written into the process space of explorer.exe, which enables the malware to communicate over port 443 to a remote server. The C&C server has been associated with previous malware campaigns from Vietnam, the analysis says. And the malware bears some resemblances to the one used in previous attacks against Vietnamese bloggers.
“The group behind these attacks appears to have been operating since late 2009, and has been very active in the targeting of Vietnamese dissidents, people writing on Vietnam, and the Vietnamese diaspora. The appears to be the work of a group commonly known as ‘Sinh Tử Lệnh’ and while it has been anecdotally claimed to be the work of Chinese actors, it seems to be more likely the work of Vietnamese targeting Vietnamese,” the analysis says.
The tack taken by these attacks is similar to ones used in campaigns against dissidents and activists in other countries over the course of the last few years. Journalists, bloggers and others in Syria, Tibet, China and elsewhere have been targeted with campaigns that involve highly targeted social engineering techniques and rigged documents designed to install malware on victims’ machines. Some of these attacks have been tied to government groups in those countries as they attempt to keep tabs on opposition voices.