Security researchers at FireEye have revealed a link between a recent spear phishing campaign on Malaysian Airlines flight MH370 and the attacks conducted by some advanced persistent threat (APT) attackers. The mysterious skyjacking of the Boeing 777-200 aircraft of Malaysian Airlines, flight MH370, is considered one of the events that most of all has attracted the media attention, for this reason, hackers have exploited the story for illicit activities. It’s a common practice in the criminal ecosystem to take advantage of such kind of events, more in general of any public news with high interest. This time the scammers are exploiting the tragedy of the Malaysian Airlines flight MH370 to deceive unaware Internet users. Security experts have already discovered a series of malware-based attacks spread via Facebook which exploiting a social engineering tactic based on the flight MH370 case. In that case, a message was circulating on Facebook inviting users to click on a video which claims that missing Malaysian Airlines flight MH370 has been found in the Bermuda Triangle with its passengers still alive, in reality, victims were redirected to a malicious website used by criminals to serve the malicious code. This week the experts at FireEye discovered that a group of Chinese-based hackers called “admin@338” had sent multiple MH370-themed spear phishing emails, the attackers targeted government officials in Asia-Pacific, it is likely for cyber espionage purpose.
The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials. In August 2013 an investigation conducted by FireEye researchers focused on three separate APT campaigns that adopted Poison Ivy RAT, of the three groups, involved one appears to be based in China. The groups were identified by FireEye analyzing the passwords (e.g. admin338, th3bug and menuPass) they use to access the Poison Ivy RAT deployed on a victim’s PC. FireEye analysts documented the Admin@338 group’s activities in a previous paper titled Poison Ivy: Assessing Damage and Extracting Intelligence paper. The spear-phishing campaign against Asian entities isn’t isolated, the Chinese Hacking Group also started another attack against the US-based think tank on 14th March. Also in this last case attackers used a malicious file attached to the email and named “Malaysian Airlines MH370 5m Video.exe”.
” This spear phish contained an attachment that dropped “Malaysian Airlines MH370 5m Video.exe” (MD5: b869dc959daac3458b6a81bc006e5b97). The malware sample was crafted to appear as though it was a Flash video, by binding a Flash icon to the malicious executable.” “In addition to the above activity attributed to the Admin@338 group, a number of other malicious documents abusing the missing Flight 370 story were also seen in the wild.” said FireEye researchers.
Technical details are available on FireEye blog.
(Security Affairs – Spear phishing, Mh370 flight)