For the first time since the organisation’s inception, Electronic Frontier Foundation’s staffers have been hit with a targeted malware attack by what appear to be state-aligned actors.
The international digital rights group believes that the attack was mounted by hackers employed by the Vietnamese government, which has a well-documented tendency to target political dissenters, journalists and bloggers with spying and DDoS malware.
The email EFF staffers have received has supposedly been sent by one Andrew Oxfam, and ostensibly contains an invitation to join a conference in Asia. The email also includes two links that, at first glance, lead to Oxfam’s official site, and two HTML application (.hta) files.
“This targeting is especially interesting because it demonstrates some understanding of what motivates activists. Just as journalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open documents pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences,” noted EFF’s Eva Galperin and Morgan Marquis-Boire.
Both links lead to malware hosted on Google Drive, and both attachments are also malicious – the files in question are made to exploit vulnerabilities in the targets’ software and download a persistent backdoor Trojan. And the bad news is that only one AV solution ised by Virus Total detects this files as potentially malicious.
It’s interesting to note that the same malicious file has also been sent to an Associated Press reporter via a different targeted email, and earlier this year to a Vietnamese pro-democracy blogger living in California (her computer ended up being compromised).
The malware “phones” back to a C&C server previously associated with Vietnamese-affiliated malware.
“The group behind these attacks appears to have been operating since late 2009, and has been very active in the targeting of Vietnamese dissidents, people writing on Vietnam, and the Vietnamese diaspora,” the EFF noted.