Mass Malware Attack – Ransomware, Screenlockers, RATs, Attack & Gain Backdoor Access in Organization Networks

Researchers discovered a mass malware distribution campaign that utilized well-known political figures in the U.S. including President Donald Trump, and former presidential candidate Hillary Clinton with a series of ransomware, screen lockers, RATs, and other malicious applications.

A variety of malicious applications were uncovered with this campaign, and it was developed to infect the victims with ransomware and implant a backdoor in organization networks with political motivation.

Researchers believe that the malware authors are motivated by their political beliefs and turned to malware distribution in different forms.

Malware Infection Process

Initially, attackers deliver the malware via malspam email campaigns with fake body content related to banking fraud alerts, and it comes from the director of Global Risk for credit card company Visa.

The malspam emails come with a malicious attachment that contains RTF files, once it is opened, RTF documents retrieve a malicious PE32 executable from an attacker-controlled server using Dynamic Data Exchange (DDE).

The process of the infection starts when PE32 gets executed, and the malware authors developed a list of various names, terminology, and iconography that has generated headlines across the political spectrum.

There are several malware samples were uncovered, analyzed by researchers, and samples have been obtained from various malware repositories.

Fake Ransomware and Screen lockers

Several samples are used to infect the target that posed as an iconography related to well-known political figures such as Donald Trump with fake ransomware and screen lockers that don’t encrypt any files.

It tricks victims to believes that their system infected with ransomware is tricked into paying a ransom demand in an attempt to regain access to their data.

In another Donald Trump theme locker, it asks victims to take explicit action, and when they click on it, suddenly get a lock screen. if the victims click the button again, then the background will keep on changing.

RAT – Remote Access Trojan

Researchers also uncovered another politically-themed RAT campaign that delivered a Neshta and NJRAT that utilized a theme and unusual decoy images that were named “Papa-Putin[.]exe.” to deliver the payload to the victim’s machine.

According to Talo’s research, Finally, we came across a RAT that was being delivered via a Word document titled “12 things Trump should know about North Korea.doc.” At first, the document appeared to not function properly, as it took several minutes for the document to open on an analysis system.

Researchers found that this campaign also used malicious Excel spreadsheets as lure documents that contain an embedded SWF file that was developed to infect the victims with ROKRAT.

Crypters/Packers

This mass campaign also pushes Crypter with iconography with the name of “Trump Crypter” which helps to evade antivirus detection by encrypting the malicious code associated with malware binaries.

Apart from this malware, researchers also found a large number of “random” politically-related software applications.

The odd piece of software found in this campaign, called “Trump’s Cyber Security Firewall ™,” appeared to be focused on hardening Windows systems in a politically motivated way.

The app has the ability to enable debugging and remote desktop access. “There didn’t appear to be any malicious intent in the design of this app, instead it appears to be an application written to allow system administrators to complete some tasks they typically would encounter on a frequent basis when managing Windows endpoints”

“One of the unexpected aspects of the investigation was the presence of lures that dropped malware associated with multiple nation-state attacks in the past. ” Talos said.