A researcher of Norwegian security firm Norman has recently come across and analyzed a peculiar malware sample that was likely aimed at compromising computers of employees of AREVA, a French conglomerate specializing in various energy sectors.
“Samples we receive are routinely sent to automatic processing in our in-house Malware Analyzer G2 systems. I often sift through these looking for interesting details. One of the things I keep looking for is whether the sample displays information to the user,” explains the researcher.
“Normal malware usually tries to be invisible. Targeted malware, on the other hand, usually arrives with a message (typically email), and so needs to pretend to have something to say.”
This particular malware caught his eye because apart from the Dark Comet RAT, it also included a PDF file of a scanned printout of an internal email from AREVA-NC in La Hague in Normandy, an iTunes library file and ten images of unknown individuals in a family context.
But this is not the only peculiarity that distinguishes this attack from others. There is also the fact that even if the social engineering attempt was successful and the recipients downloaded the malware, it wouldn’t work as the trojan doesn’t automatically run and is misconfigured.
The researcher offered his opinion on likely attack scenarios tied to this sample, saying that it could be a test build, a botched real attack or even an attempt to confuse researchers.
“There is another theory, which I have to consider but don’t know whether to laugh or cry over,” says the researcher. “It is possible that the attacker has by accident included not only his ‘attack files’ – the AREVA PDF and the failed DarkComet – but somehow managed to include other files. Like for example a whole folder which may have contained his own family pictures.”