Hackers have once again taken the disappearance of Malaysian Airline Flight MH370, as another opportunity for malicious attacks. Just a little over two weeks ago, hackers had a viral Facebook malware campaign claiming flight MH370 was found. Hackers have stepped it up a notch and are now attacking governments with spear phishing attacks. Government officials in the U.S. and Asia-Pacific were targeted with infected documents claiming to be reports on the missing airline.
Security firm, FireEye, published a research report on a number of spear phishing attacks containing either infected attachments, or links to malicious websites. “The first spear phish from group ‘Admin@338’ was sent to a foreign government in the Asian Pacific region”, FireEye reported, just two days after the initial disappearance of Malaysian Airline Flight, MH370. The Chinese group, admin@388, has targeted finical institutions in the past with malicious campaigns. Of the sent emails, a document titled “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae), was attached.
Users who opened the malicious attachment attachment were met with a blank document. While users saw the blank document, a variant of the Poison Ivy Trojan was installing and establishing a backdoor to www[dot]verizion[dot]proxydns[dot]com. Hackers have used both Poison Ivy and the labeled domain to initiate previous attacks, FireEye stated.
The Poison Ivy malware is “a remote access Trojan that allows attackers to not only set up backdoor communication with infected machines, but push additional malicious code, steal documents and system information, and pivot internally.” threatpost reported.
FireEye has monitored the second attack launched by admin@338, which targeted a “U.S.-based think tank”, during March 14. The second attack had attached files appearing as a flash video related to the missing plane, hackers attached a flash icon to make it appear that way. The executable ‘video’ was another maliciously laced file.
“This version of Poison Ivy connected to its command and control at dpmc[dot]dynssl[.]com:443 and www[dot]dpmc[dot]dynssl[dot]com:80, FireEye said, adding that the phony Verizon domain used in the first attack also resolved to an IP used by this attack as well.” Threatpost researchers stated.
Admin@388 is not the only hacker group abusing the news of the disappearing flight. Several other hackers have targeted intuitions with PDF files laced with malware. One cloned a CNN story naming itself “Search for MH370 continues as report says FBI agents on way to offer assistance.pdf .exe”. Some hackers have even began abusing .DOC files, with an exploit (CVE-2012-0158).
It appears hackers are continuing to abuse the headlines, this time attacking governments with deadly spear phishing attacks.