A website domain has been discovered by Google’s cyber-security team to be impersonating the Electronic Frontier Foundation (EFF).
Registered on August 4, 2015, electronicfrontierfoundation.org has since been targeting unknown victims with a spear phishing attack and spreading malware into their systems.
Fake BBC Website lures victims with Charlie Hebdo misinformation
Unfortunately, the domain seems to play a small part of a targeted malware campaign, which has been dubbed as ‘Pawn Storm’ by Trend Micro, in their October 2014 report (pdf). Although the campaign gained ground only over a month ago, the team behind the attack has been active since 2007 and is suspected to have strong ties with the Russian government.
The malware is delivered to unsuspecting victims by exploiting a new Java vulnerability, the first zero-day in almost two years. A spear phishing email redirects the victim to a specific sub-page on the domain, which then invokes a harmful Java applet to deliver the malware and retrieve a payload. After the attack is complete, the sub-page is disabled to prevent cyber-security officials to trace its source.
Example:
http://electronicfrontierfoundation (dot) org/url/{6_random_digits}/Go.class
The App.class comprises of the malicious code and is bootstrapped and executed by the Go.class. By exploiting the Java bug, the App.class deploys an executable, second stage binary (Cormac.mcr) in the victim’s root directory. Notably, the binary can also be used on Mac or Linux based systems, owing to its compatibility with *nix environments.
It has been determined that the malicious domain and malware (named Sednit) have a lot of commonalities with the other attacks under the ‘Pawn Storm’ banner. Sednit installs and runs a DLL file in Windows systems and tethers it to a command and control server. The attacker then executes unfriendly programs, like keyloggers, in the system.
Some cyber-security researchers have noted that Pawn Storm attacks use custom malware and have targets that are strikingly similar to the Sednit and Sofacy malware campaigns, initiated by the Advanced Persistent Threat group 28 (APT28). APT28 has previously been linked to the Russian government in a paper by FireEye, a security firm who compared the sophistication of the attacks and the choice of victims to arrive at the conclusion.
Although the victims of the current EFF attack are currently unknown, APT28’s previous breaches were against U.S. Defence contractors, White House staff members, Russian journalists and NATO officials.
Since the exploit was discovered, the domain has been reported and the bug patched by updates from Oracle. However, this attack is a harsh reminder to be wary of phishing emails and improve our personal security.
So, it’s eff.org, NOT electronicfrontierfoundation.org.
Report typos and correction to [email protected]
EFFTrend Micro
