Sophos Cloud Optix
A cybercriminal masquerading as a colleague at the World Press Freedom Committee has targeted the head of the Committee to Protect Journalists.
The CPJ stands up for journalists worldwide by publicly revealing abuses of the press and by acting on behalf of imprisoned and threatened journalists.
It publicises and advocates for journalists who’ve been abducted, wounded, attacked, censored, expelled, harassed, imprisoned, killed in retaliation for news coverage, molested via legal means, threatened, or who simply vanish.
The headlines associated with all such assaults on free press are unrelenting, as CPJ’s alerts page clearly shows.
One of the most recent deaths was that of Japanese freelance writer Mika Yamamoto, killed in gunfire while reporting in Aleppo, Syria.
According to CPJ Internet Advocacy Coordinator Danny O’Brien, CPJ executive director Joel Simon’s suspicions were aroused two weeks ago when he received a message with a trivial misspelling in the alleged sender’s name.
The email claimed to come from “Rony Kevin.” That’s close to the name of Rony Koven, who works with the World Press Freedom Committee, a sister organisation also devoted to press freedom.
The originating Yahoo account of course wasn’t Koven’s and had no connection to him, O’Brien wrote last week in a post that outlined details of the targeted attack.
The email was carefully crafted both to appear legitimate and to evade CPJ’s gateway anti-virus software.
Its subject header was “Fw: Journalists arrested in Gambia,” and the content of the message was lifted directly from an alert put out by another free-press group, Article 19.
O’Brien writes that the text of the message promised more information in an attached ZIP file, called “Details,” which was password-encoded with the letters “CPJ.”
Fortunately, CPJ staffers are “extremely cautious about opening strange attachments,” O’Brien noted.
The mail was quarantined and examined in a safe computing environment.
There, O’Brien found that the ZIP file contained a text copy of the Article 19 article, three photos of Gambian journalists, and a malicious Windows executable disguised as an image that would have run were an intended victim to have clicked on it.
Analysis tools showed that the malware was designed to install in an innocuous spot on the computer and would then run automatically.
The unpacking was run by a standard utility, with comments in Chinese.
O’Brien at that point handed the file over to Morgan Marquis-Boire, a security researcher and security engineer at Google who specializes in Incident Response and who’s also been working with the Electronic Frontier Foundation around issues of Syrian suppression of dissidents.
The researcher found that the executable was, in fact, malware that communicated with a computer located in Indonesia.
Mailing the Indonesian operators got O’Brien no response, so, for now, he writes, “the trail has run cold.”
Neither the use of Chinese language in the executable nor the location of the command-and-control center is helpful in tracking down the phishers, O’Brien notes:
The Chinese language in the executable means that this malware has come from a toolkit that used Chinese elements. There are plenty of Russian and Chinese tools floating around the international computer underground, however. You might not need to speak Chinese to use a piece of software with Chinese comments embedded within it, so I don't think you can draw many conclusions from that.
Neither can you draw much from the use of an Indonesian command-and-control center. Just because the first stop for information sent from the infected computer is Jakarta, that doesn't mean that it's the final destination. That machine is undoubtedly an innocent system, taken over remotely by the attackers, and used as a convenient middleman for their activities.
Who would specifically target such groups? Who benefits from planting malware on the computers of organisations that work to defend journalists and free press?
As O’Brien noted, the attacker left little in the way of identifying traces, so we can’t jump to the conclusion that it was repressive regimes or other state actors – although it’s tempting to do so, given how hard it is to imagine who else might profit.
He writes:
There's nothing that shouts state actors here, except perhaps for the target. There aren't many other reasons to spend time specifically targeting press freedom groups, unless you are able to sell control of their computers to a third party who cares to disrupt or monitor their activities.
As O’Brien says, encryption of the ZIP file was a smart way to get past rudimentary anti-virus software.
The password on the ZIP file achieved two goals: it both hampered anti-virus software’s attempts to automatically unzip the malicious file, and its personalized nature – the password was “CPJ” – helped the message look genuine.
Anti-virus would likely have caught the malware and sent up alerts if it hadn’t in fact been quarantined and dissected by its justifiably wary targets.
It’s a lesson for all of us of the need to keep anti-virus up to date and to pay attention to the alerts such programs flash at us.
Of course, the standard “don’t click on attached files from fishy people” advice pertains.
Beyond that, WinZip itself recommends that to stay safe from viruses distributed via ZIP files, configure your anti-virus program to run in on-access mode (which means files are scanned in real-time as they are accessed).
Good luck to all of us in avoiding falling prey to the cunning of internet attackers.
In particular, good luck to the journalists whose adversaries rank among the most ruthless, powerful actors in the world.